Home > Articles

Security Management and Practices

  • Print
  • + Share This
This chapter is from the book

This chapter is from the book


Understand the principles of security management.

. In understanding information security management, there are a number of principles you need to know to create a managed security program. These principles go beyond firewalls, encryptions, and access control. They are concerned with the various aspects of managing the organization's information assets in areas such as privacy, confidentiality, integrity, accountability, and the basics of the mechanisms used in their management.

Know what management's responsibility is in the information security environment.

. Management cannot just decree that the systems and networks will be secure. They must take an active role in setting and supporting the information security environment. Without management support, the users will not take information security seriously.

Understand risk management and how to use risk analysis to make information security management decisions.

. Managing security is the management of risk. Knowing how to assess and manage risk is key to an information security management program.

Know how to set policies and how to derive standards, guidelines, and implement procedures to meet policy goals.

. Policies are the blueprints of the information security program. From policies, you can set the standards and guidelines that will be used throughout your organization to maintain your security posture. Then, using those standards, you can create procedures that can implement the policies.

Set information security roles and responsibilities throughout your organization.

. From management to the users, everyone who has access to your organization's systems and networks is responsible for their role in maintaining security as set by the policies. Understanding these roles and responsibilities is key to creating and implementing security policies and procedures.

Understand how the various protection mechanisms are used in information security management.

. Protection mechanisms are the basis of the data architecture decision that will be made in your information security program. These are the basis for the way data is protected and provide a means for access.

Understand the considerations and criteria for classifying data.

. Protecting data is the objective of every information security program. Therefore, we look at how that data can be classified so it can be securely handled.

Determine how employment policies and practices are used to enhance information security in your organization.

. Even with the press concentrating on the effects of denial-of-service attacks and viruses, the biggest threats come from within. Improving on the employment policies and practices to perform better background checks and better handle hiring and termination, as well as other concerns to help minimize the internal threat, are important information security practices.

Use change control to maintain security.

. One of the jobs of a Trojan horse is to replace a program with one that can be used to attack the system. Change control is one defense against this type of attack. Using change control to maintain the configuration of programs, systems, and networks, you can prevent changes from being used to attack your systems.

Know what is required for Security Awareness Training.

. The best security policies and procedures are ineffectual if users do not understand their roles and responsibilities in the security environment. Training is the only way for users to understand their responsibilities.



  • Defining Security Principles

    • CIA: Information Security's Fundamental Principles
      • Confidentiality
      • Integrity
      • Availability
    • Privacy
    • Identification and Authentication
      • Passwords
    • Nonrepudiation
    • Accountability and Auditing
      • Keystroke Monitoring
      • Protecting Audit Data
    • Documentation

  • Security Management Planning

  • Risk Management and Analysis

    • Risk Analysis
    • Identifying Threats and Vulnerabilities
    • Asset Valuation
    • Qualitative Risk Analysis
    • Countermeasure Selection and Evaluation
    • Tying It Together

  • Policies, Standards, Guidelines, and Procedures

    • Information Security Policies
      • How Policies Should Be Developed
      • Define What Policies Need to Be Written
      • Identify What Is to Be Protected
      • Identify from Whom It Is Being Protected
    • Setting Standards
    • Creating Baselines
    • Guidelines
    • Setting and Implementing Procedures

  • Examining Roles and Responsibility

  • Management Responsibility

    • User Information Security Responsibilities
    • IT Roles and Responsibilities
    • Other Roles and Responsibilities

  • Understanding Protection Mechanisms

    • Layering
    • Abstraction
    • Data Hiding
    • Encryption

  • Classifying Data

    • Commercial Classification
    • Government Classification
    • Criteria
    • Creating Procedures for Classifying Data

  • Employment Policies and Practices

    • Background Checks and Security Clearances
    • Employment Agreements, Hiring, and Termination
      • The Acceptable Usage Policy
      • Termination
    • Job Descriptions
    • Job Rotation

  • Managing Change Control

    • Hardware Change Control
    • Software Change Control

  • Security Awareness Training

  • Summary

  • Apply Your Knowledge

Study Strategies

Even if you are not part of your organization's management team, watch how management works in the information security environment. Take the practices and strategies written here and look at not only how your organization implements them, but how they can be improved. This type of lateral thinking will help on the exam and can make you a valuable contributor to your organization's security posture.

The notes throughout the chapter point out key definitions and concepts that could appear on the exam. They are also key components that all managers should understand.

This chapter covers Domain 3, Security Management Practices, 1 of 10 domains of the Common Body of Knowledge (CBK) covered in the Certified Information Systems Security Professional Examination. This domain is divided into several objectives for study.

    "Security management entails the identification of an organization's information assessment and the development, documentation, and implementation of policies, standards, procedures, and guidelines that ensure confidentiality, integrity, and availability. Management tools such as data classification, risk assessment, and risk analysis are used to identify the threats, classify assets, and to rate their vulnerabilities so that effective security controls can be implemented.

    Risk management is the identification, measurement, control, and minimization of loss associated with uncertain events or risks. It includes overall security review, risk analysis, selection and evaluation of safeguards, cost benefit analysis, management decision, safeguard implementation, and effectiveness review.

    The candidate will be expected to understand the planning, organization, and roles of the individual in identifying and securing an organization's information assets; the development and use of policies stating management's views and position on particular topics and the use of guidelines, standard, and procedures to support the policies; security awareness training to make employees aware of the importance of information security, its significance, and the specific security-related requirements relative to their position; the importance of confidentiality, proprietary, and private information; employment agreements; employee hiring and termination practices; and risk management practices and tools to identify, rate, and reduce the risk to specific resources."

    —Common Body of Knowledge study guide



Security management can be difficult for most information security professionals to understand. It is the bridge between understanding what is to be protected and why those protections are necessary. Using basic principles and a risk analysis as building blocks, policies can be created to implement a successful information security program.

As part of creating that program, information security management should also understand how standards and guidelines also play a part in creating procedures. When doing this, every user's role and responsibilities should be accounted for by understanding how to protect the organization's information assets.

The role of data as a significant part of the organization's information assets cannot be minimized. Data provides the fuel that drives your organization, but it is the asset that is the most vulnerable. Protecting this asset means understanding the various classifying mechanisms and how they can be used to protect your critical assets.

This chapter covers all these issues and discusses security awareness and managing people in your information security environment.

  • + Share This
  • 🔖 Save To Your Account