Security Management

Security Management

Chapter Objectives

After reading this chapter and completing the exercises, you will be able to do the following:

* Choose the appropriate type of policies to document a security programme.

* Distinguish between the roles of standards, regulations, baselines, procedures, and guidelines.

* Organize a typical standards and policies library.

* Classify assets according to standard principles.

* Incorporate the separation of duties principle when creating a security policy.

* Outline the minimum preemployment hiring practices for organizations.

* Analyze and manage risk.

* Outline the elements of employee security education, awareness, and training.

* List the eight types of people responsible for security in an information technology (IT) setting.

Introduction

This chapter describes the first domain of the Certified Information Systems Security Professional (CISSP) Common Body of Knowledge (CBK): Security Management Practices. This domain appears first because it establishes the framework and foundation for all the other domains to build upon.

Security management is a broad set of executive support and management activities that define an IT security programme. (Note: This spelling is used to distinguish a management programme from a computer program.) A programme, unlike a project, is an ongoing management activity that is constantly funded and intended for the preservation and advancement of the organization.

Like any programme, an IT security programme begins with statements of management’s intent. These goals are translated into security policies (statements of management intent) and then used to drive the details of how the programme will run, who will be responsible for day-to-day work, how training and awareness will be conducted, and how compliance to policies will be handled.

Other areas addressed within the Security Management Practices domain are activities related to information classification,...