20,53 €
Mehr erfahren.
- Herausgeber: Packt Publishing
- Kategorie: Wissenschaft und neue Technologien
- Sprache: Englisch
In Detail
Certified Information Systems Security Professional (CISSP) is an internationally recognized security qualification. Success in this respected exam opens the door to your dream job as a security expert as well as an eye catching salary. But passing the final exam is challenging. Every year a lot of candidates do not prepare sufficiently for the examination, and fail at the final stage. This happens when they cover everything but do not revise properly and hence lack in confidence.
This book will take you through the final weeks before the exam with a day-by-day plan covering all of the exam topics. It will help you to enter the exam room with confidence, knowing that you have done all you can to prepare for the big day.
This small and concise CISSP exam quick-revision guide provides a disciplined approach to be adopted for reviewing and revising the core concepts a month before the exam. This book provides concise explanation of important concepts in all the 10 domains of the CISSP Common Body of Knowledge (CBK). Each domain is covered in two chapters that are represented as days. Each chapter contains some practice questions. A full-blown mock test is included for practice. This book is not a replacement to full study guides and tries to build on and reemphasize the concepts learned from such guides.
A quick revision guide including study material and practice questions to prepare for the CISSP Exam
Approach
This book adopts a 'concise explanation' approach to describe the concepts in the 10 Information Security domains that are covered in the CISSP examination. Hence, this book is a 'quick revision guide' and as such is expected to be studied in the month prior to examination. By breaking down difficult concepts and theories to simple 2 to 4-line sentences the assimilation and most importantly 'recall' of a concept is improved. Hence, this approach helps a candidate to focus on the core concepts before the exams and to recall them and relate them with other concepts to aid in identifying the right answer during the exam.
Who this book is for
This book is for all aspirants who are planning to take the CISSP examination and obtain the coveted CISSP certification that is considered as the 'Gold Standard' in Information Security personal certification.
This book assumes that the candidate has already sufficient knowledge in all the 10 domains of the CISSP CBK by way of experience from work and knowledge gained from other study books. This book provides concise explanations to the core concepts that are essentially covered in the exam.
Besides being an Information Security-focused guide, this book will also be useful as a quick reference and revision guide for System and Network Administrators, Database Administrators, System Analysts, Software Developers, Application Designers, System Architects, Legal Professionals, Security Officers, Business Continuity professionals, IT Auditors, IS Auditors, Vulnerability Assessors, Penetration Testers, and Ethical Hackers.
Sie lesen das E-Book in den Legimi-Apps auf:
Seitenzahl: 357
Veröffentlichungsjahr: 2008
Ähnliche
Table of Contents
CISSP in 21 Days
M. L. Srinivasan
CISSP in 21 Days
Copyright © 2008 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, Packt Publishing, nor its dealers or distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
First published: December 2008
Production Reference: 1121208
Published by Packt Publishing Ltd.
32 Lincoln Road
Olton
Birmingham, B27 6PA, UK.
ISBN 978-1-847194-50-3
www.packtpub.com
Cover Image by Vinayak Chittar (<[email protected]>)
Credits
Author
M. L. Srinivasan
Reviewer
Jagan Rao
Acquisition Editor
Bansari Barot
Development Editor
Ved Prakash Jha
Technical Editor
Darshana D. Shinde
Copy Editor
Sneha M. Kulkarni
Editorial Team Leader
Akshara Aware
Project Manager
Abhijeet Deobhakta
Project Coordinator
Neelkanth Mehta
Indexer
Rekha Nair
Proofreader
Joel T. Johnson
Production Coordinator
Aparna Bhagat
Cover Work
Aparna Bhagat
About the Author
M.L.Srinivasan is presently the founder and CEO of ChennaiNet, an India-based technology company focused on Information Technology and Information Security related product development, services, and training. He's a Certified Information System Security Professional (CISSP) and Certified Information Security Management System Lead Auditor.
Popularly known as MLS, the author is an Information Technology and Information Security professional, with roughly 18 years of experience in various domains of IT such as Software Programming, Hardware Troubleshooting, Networking Technologies, Systems Administration, Security Administration, Information Security-related consulting, auditing, and training. MLS has been an avid trainer throughout his career and has developed many short-term and long-term training programs. One such program is "Certified Vulnerability Assessor" (cVa), which is accredited by a leading ISO certifying agency. He's a prolific speaker and has presented many papers on the Network Security domain at many international conventions and conferences.
He is a specialist IT and IS auditor with Det Norske Veritas (DNV), India region. He has performed many quality and information security audits in hundreds of medium and large organizations over the past 10 years.
He was a Technical Director with Secure Matrix, an India-based company that provides information security consulting and audits. During his tenure in the last four years, he led a team of consultants to implement many ISO 27001-certification projects across India, the Middle East, and Africa.
I would like to thank my family for all the support and, in particular, my wife who patiently proof read all the chapters.
My special thanks and gratitude goes to Mr. Jagan Rao for his critical feedback on the content.
I would like to thank the (ISC)2 and the CISSP community for their relentless effort in spreading the information security knowledge across the world.
Last, but not the least, I would like to thank the entire team at Packt for their enthusiasm and support throughout the project.
About the Reviewer
Jagan Rao holds a Masters degree from the Indian Institute of Technology, Kharagpur.
He has a two decades of work experience in the various fields of Information Technology, particularly in the areas of Infrastructure Support, Database Management, and Information Security.
He holds the credentials of CISSP, CISM, PMP, ABCP, Oracle DBA, IBM, and HPUX System Admininstration.
He is currently working as a Manager, I.T Architecture, in an upcoming greenfield aluminium smelter (EMAL), which, on completion, is expected to become the world's largest single-site smelter.
I would like to thank my ex-colleagues, Naseeba Al Rais and Rajesh Hemrajani, for their continued support and passion that they show for infromation security related endevours.
I would also like to thank my ex-employer, Dubai Aluminium, and my current employer, Emirates Aluminium, for giving many oppurtunities and challenging assignments, particularly in the areas of Information Security.
I would like to dedicate this book to my father who is the guiding force behind everything.
Preface
The Certified Information Systems Security Professional (CISSP) is an internationally recognized security qualification. Success in this esteemed exam opens the door to your dream job as an information security expert. As industry surveys show, a CISSP candidate earns a better salary than his counterparts without a security certification. In addition, the CISSP is a recognized qualification for US government jobs in the Department of Defense (DoD), and the National Security Agency (NSA). Similarly, this certification is also recognized by many governmental departments, businesses, stock exchanges, banks, and universities around the world. Therefore, obtaining this international certificate will present you with a host of opportunities, whether it is for employment, consulting, or an audit profession in the information security field.
But passing the final exam is challenging. Every year many candidates who attempt the exam do not prepare sufficiently and, unfortunately, fail at the final stage. This happens when they cover everything but do not properly review, which leads to a lack of confidence. This book will take you through the final weeks before the exam with a day-by-day plan that will cover all of the exam topics. It will help you to enter the exam room with confidence, knowing that you have done all you could to prepare for the examination day. This small, concise CISSP exam quick-revision guide provides a disciplined approach to be adopted for reviewing and revising the core concepts a month before the exam. This book provides a succinct explanation of important concepts in all 10 domains of the CISSP Common Body of Knowledge (CBK).
What this book covers
Introduction: This chapter introduces the organization of the guide, expectations, and the approach adopted.
Day 1: This chapter covers various concepts related to security management practices, control environment, and asset classification and controls.
Day 2: This chapter discusses important requirements of security awareness and training as well as risk assessment and management.
Day 3: This chapter covers the threats, vulnerabilities, and countermeasures for physical security and physical security design that includes perimeter and interior security.
Day 4: This chapter addresses the concepts in operations and facility security, along with protecting and securing equipment.
Day 5: This chapter covers concepts related to access control, methodologies and techniques, authentication, and access-related attacks and countermeasures.
Day 6: This chapter covers concepts related to vulnerability assessment and penetration testing.
Day 7: This chapter covers various concepts related to cryptography, such as methods and types of encryption, as well as the application and use of cryptography.
Day 8: This chapter covers the core concepts in Public Key Infrastructure, key management techniques, methods of cryptanalytic attacks, and various cryptographic standards.
Day 9: This chapter covers various concepts in the areas of operations procedures and responsibilities, incident management, and reporting.
Day 10: This chapter covers control environment related to operations security and also evaluation criteria, such as TCSEC.
Day 11: This chapter covers concepts in systems engineering and the Software Development Life Cycle models.
Day 12: This chapter covers IT systems, threats and vulnerabilities of application systems, and application control concepts.
Day 13: This chapter covers various concepts in network architecture, Open System Interconnect (OSI), and the TCP/IP models. It also covers various protocols in the TCP/IP models related to the application and transport layers, along with threats, vulnerabilities, attacks, and countermeasures for the TCP/IP protocols and services.
Day 14: This chapter covers different protocols that are in the network/Internet layer, data link layer, and physical layer in the TCP/IP model. In addition, it covers some of the threats and vulnerabilities that are prevalent in such protocols, common attacks, and possible countermeasures.
Day 15: This chapter covers concepts in computer architecture, the Trusted Computing Base, and protection domain and its related mechanisms.
Day 16: This chapter addresses the concepts in assurance-related standards, various certification and accreditation schemes, and various computer security models.
Day 17: This chapter covers various concepts in Business Continuity Planning, its goals and objectives as well as the concepts in the Business Impact Analysis.
Day 18: This chapter covers the Disaster Recovery Planning process, various backup concepts, and the process of resuming business from alternative sites.
Day 19: This chapter covers various computer crimes, cyber crimes, as well as different types of attacks.
Day 20: This chapter covers laws and regulations related to information systems across the world. Additionally, it covers concepts related to computer investigations and ethical usage of information systems as prescribed by international bodies including (ISC)2.
Day 21: This chapter contains a full mock test paper containing a total of 250 questions from all 10 domains.
References: This chapter provides various references and books that are relevant to the CISSP exam preparation.
Who is this book for
This book is for all the aspirants who are planning to take the CISSP examination and obtain the coveted CISSP certification, which is considered as the gold standard in the information security personal certification.
This book assumes that the candidate already has sufficient knowledge in all 10 domains of the CISSP CBK from work experience and knowledge gained from studying information security. This book provides a concise explanation of the core concepts that are essentially covered in the exam.
Besides being a focused guide on information security, this book is also useful as a quick reference and revision guide for System and Network Administrators, Database Administrators, System Analysts, Software Developers, Application Designers, System Architects, Legal Professionals, Security Officers, Business Continuity professionals, IT Auditors, IS Auditors, Vulnerability Assessors, Penetration Testers, and Ethical Hackers.
Conventions
In this book, you will find a number of styles of text that distinguish between different kinds of information. Here are some examples of these styles, and an explanation of their meaning.
New terms and important words are introduced in a bold-type font.
Note
Warnings or important notes appear in a box like this.
Note
Tips and tricks appear like this.
Reader feedback
Feedback from our readers is always welcome. Let us know what you think about this book, what you liked or may have disliked. Reader feedback is important for us to develop titles that you really get the most out of.
To send us general feedback, simply drop an email to <[email protected]>, making sure to mention the book title in the subject of your message.
If there is a book that you need and would like to see us publish, please send us a note in the SUGGEST A TITLE form on http://www.packtpub.com or email <[email protected]>.
If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide on http://www.packtpub.com/authors.
Customer support
Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.
Errata
Although we have taken every care to ensure the accuracy of our contents, mistakes do happen. If you find a mistake in one of our books—maybe a mistake in text or code—we would be grateful if you would report this to us. By doing this you can save other readers from frustration, and help to improve subsequent versions of this book. If you find any errata, report them by visiting http://www.packtpub.com/support, selecting your book, clicking on the let us know link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata added to the list of existing errata. The existing errata can be viewed by selecting your title from http://www.packtpub.com/support.
Piracy
Piracy of copyright material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works in any form on the Internet, please provide the location address or website name immediately so we can pursue a remedy.
Please contact us at <[email protected]> with a link to the suspected pirated material.
We appreciate your help in protecting our authors, and our ability to bring you valuable content.
Questions
You can contact us at <[email protected]> if you are having a problem with some aspect of the book, and we will do our best to address it.
Chapter 1. Introduction to CISSP
Certified Information System Security Professional (CISSP) is a coveted certification for an information security professional. Certified individuals are considered experienced and knowledgeable information security professionals. This is due to the requirements for certification. To appear for the exam, a candidate should have a minimum of four to five years of relevant practical experience in two or more domains of information security.
CISSP is acclaimed as the gold standard of the security industry. The CISSP exam is conducted by the International Information System Security Certification Consortium (ISC)², a non-profit consortium that is engaged in certifying information security professionals throughout their careers. The (ISC)² was founded in 1989 by industry leaders and has certified over 60,000 information security professionals in more than 120 countries.
The (ISC)² Board of Directors includes top Information Security (IS) professionals from a cross-section of the industry. The board members are CISSP certified and are elected, on a volunteer status, by others who have been certified.
As per (ISC)2, CISSP was the first credential in the field of information security, accredited by the ANSI (American National Standards Institute) to ISO (International Standards Organization) Standard 17024:2003. CISSP certification is not only an objective measure of excellence, but a globally recognized standard of achievement:
We will be focusing on the CISSP exam in this quick revision guide.
Eligibility requirements for the CISSP exam and certification
Eligibility for obtaining this certificate is twofold:
The exam consists of 250 multiple choice questions worth 1000 points that are to be answered in a duration of six hours. Of the 1000 points, a minimum of 700 points (70%) is required to pass this exam. The weighted value for each question varies and the distribution is not disclosed to the candidates. The exam is a written-type exam and an online test option is not offered. The (ISC)² regularly conducts the exam throughout the world. The exam schedules are available at the (ISC)² website: http://www.isc2.org.
Professional experience:Subscribing to the (ISC)² code of ethics, and showing a proof of direct professional work experience of no less than four to five years in two or more security domains, as prescribed in (ISC)² CISSP Common Body of Knowledge (CBK)
Note
Those who do not have relevant experience can still appear for the CISSP exam. If they pass, (ISC)2 will award them with an Associate of (ISC)2 credential. Subsequently by gaining relevant years of experience, the candidate can show evidence and obtain the CISSP credential.
As per (ISC)2
The Associate of (ISC)² status is available to qualified candidates who:
The following information is extracted from the (ISC)² website pertaining to (ISC)² CBK .
The (ISC)² CBK is a taxonomy—a collection of topics relevant to information security professionals around the world. The (ISC)² CBK establishes a common framework of information security terms and principles, which allows information security professionals worldwide to discuss, debate, and resolve matters pertaining to the profession with a common understanding.
The (ISC)² was established in 1989, in part, to aggregate, standardize, and maintain the (ISC)² CBK for information security professionals worldwide.
Domains from the (ISC)² credentials are drawn from various topics within the (ISC)² CBK. The (ISC)² uses the CBK to assess a candidate's level of mastery of the most critical domains of information security.
The (ISC)² CBK, from which the (ISC)² credentials are drawn, is updated annually by the (ISC)² CBK Committee to reflect the most current and relevant topics required to practice the profession of information security.
The (ISC)² CBK security domains
The (ISC)² CBK for CISSP contains ten security domains. A candidate attempting the CISSP exam is tested for knowledge in these domains. The following are the ten security domains along with their key areas of knowledge:
Approach
While preparing for the CISSP exam, a candidate has to read and understand many books and references. Many books cover the CISSP CBK domains in depth and provide a starting point for a thorough preparation to the exam. References to such books are covered in the references chapter at the end of this book. However, since many concepts are spread across the ten domains, it is always important to review the various concepts before the exam. This book addresses the requirements of revisiting the key concepts in these ten domains that are explained in a short, simple, and lucid form.
There are many overlapping concepts that are applicable to more than one security domain. For example, the concept of threat, vulnerability, and risk is similar and applicable to all the domains, and only the specifics will vary. Therefore, the ten security domains are aligned in a logical order so that the concepts are covered in the most appropriate sequence in this guide. A candidate can refer to this book throughout while preparing for the test or, most importantly, for a systematic review of the ten domains on a day-by-day basis, one month leading up to the exam. Therefore, the chapters are divided into 21 convenient days on the subject.
Summary
This chapter explained the eligibility requirements for the CISSP examination, the organization that is conducting the exam, the structure of the exam, information about the Common Body of Knowledge (CBK), the ten security domains prescribed in CBK, and the relevant key knowledge areas.
In the next chapter, we will explore the important concepts pertaining to information security and risk management.
Chapter 2. Day1: Information Security and Risk Management
Information Security and Risk Management are analogous to each other. Information security is to preserve Confidentiality, Integrity, and Availability (CIA) of organizational assets. Risk management is to identify the threats and vulnerabilities that could impact the information security and devise suitable controls to mitigate these risks. We will be discussing important concepts in this domain in the next two chapters.
Knowledge requirements
A candidate appearing for the CISSP exam is expected to have broad knowledge and understanding of the following areas in the "Information Security and Risk Management" domain:
Information security is everyone's responsibility. Planning for suitable information security management practices is the first step. The planning process involves understanding the security requirements based on the business itself, and developing a suitable management framework.
The role played by individuals in securing an organization's information assets is vital. The second step is to set up a security organization framework consisting of individuals with specific roles and responsibilities.
Finally, the assets that need protection should be identified, and the level and type of security requirements need to be determined. Levels are based on CIA requirements and types are physical, logical, environmental, and so on. There are two important processes that help in requirement identification: asset classification and risk assessment.
Note
Asset classification is a process that is used to group assets based on their types (for example, physical, hardware, software, paper document, and so on) and classify them based on sensitivity (for example, Confidential, Private, Public, and so on). Risk assessment is a process that determines the quantitative (for example, monetary value) or qualitative (for example, high, medium, low) risk value based on the type, sensitiveness, and the value of the asset.
Policies specify the management's intent on information security. For example, 'Information security policy' is a high-level document that specifies management views, intent, and support for information security throughout the organization. Other policies at department levels are developed to support high-level policies. Some such policies are Human Resources (HR) policy, Risk management policy, Access policy, and so on.
Development and use of guidelines, standards, and procedures to support the policies:Policies only specify the management views, intent, and support. However, adherence to policy requires implementation of suitable controls. For example, access policies specify the management intent to control the access to the assets. In order to comply with the policies, suitable controls need to be implemented. Firewall or access card systems (smart card) are examples of such controls. A firewall policy or a smart card policy is a subpolicy that supports the access policy, which in turn supports the information security policy. Guidelines, standards, and procedures are developed to support the policies.
Guidelines specify the rules or acceptable methods for implementing a policy. For example, if a firewall policy states that all incoming/outgoing traffic should be filtered to allow only authorized connections, then guidelines specify the rules and acceptable methods to be followed. For example, Generally Accepted Principles and Practices for Securing Information Technology Systems of NIST Special Publication 800-14 is a guideline document.
A standard is a reference point. For example, ISO/IEC 27001:2005 is an Information Security Management System (ISMS) standard that can be used as a reference point for the security management program in the organization.
Procedures support policies, guidelines, and standards. Procedures are step-by-step instructions to implement a policy, guideline, or a standard. The aim of a procedure is to achieve the desired goal through a sequence of steps.
Security awareness training to alert employees to the importance of information security, its significance, and the specific security-related requirements relative to their position:Humans are the weakest link in an information security chain. Human impact on information security is vital. Security awareness training is important to mitigate risks arising out of human errors.
Importance of confidentiality, proprietary, and private information:Information is a business asset and has a pivotal value in an organization. The value of information depends on various factors such as monetary value, age, useful life, and sensitiveness. Confidentiality, proprietary, and private information are classifications based on the nature of the information and its ownership. The importance of such information is based not only on the perspective of its value, but also on the perspective of legal/regulatory requirements for its protection.
Employment agreements, employee hiring, and termination practices:Practices that are related to human resource management are critical for a strong information security program. Employment agreements establish the role of an individual in protecting the organization's assets and specifying the dos and don'ts. Suitable hiring and termination practices such as background checks, reference checks, segregation of duties, security clearances, access revocation, and so on are needed for ensuring information security.
Risk management practices:Risk management practices include identification of risks through risk analysis and assessment, and mitigation techniques such as reduction, moving, transferring, and avoiding risks.
Tools to identify, rate, and reduce the risk to specific resources:Risk is based on the probability of a threat exploiting a vulnerability and the resulting impact on the specific resource or asset. Risk analysis and assessment is a process that helps in identifying the risk, rating the risks and the controls are used for reducing the risks.
The approach
Based on the knowledge expected for the CISSP exam, this chapter is broadly grouped under four sections as shown in the following diagram:
Section 1: Security Management Practices introduces various concepts, practices, and controls that are related to the day-to-day and overall management of information security in an organization.
Section 2: Asset Classification and Control covers the all-important 'asset management' practices from the information security perspective. This essentially means classifying or grouping of assets based on the criticality of the asset and devising suitable 'security controls' to maintain information security. This section also deals with classification types that are prevalent in government and private organizations.
Note
Unless otherwise specified, whenever the term 'Government' or 'Governmental' is used, it denotes United States Government.
Section 3: Security Awareness and Training talks about the relevance of awareness as the most important risk mitigation strategy, as humans are considered to be the 'weakest link' in the information security chain.
Section 4: Risk Management Practices deals with the concepts in risk assessment practices such as quantitative and qualitative analyses, and risk mitigation strategies such as moving, transferring, and avoiding risks. This section also introduces the subsets of risk management practices such as Incident management, Business Continuity Planning, and Disaster Recovery Planning processes. These subsets are dealt in detail in Chapters 18 and 19.
Today we shall quickly review the concepts in the following sections:
Section 1: Security Management Practices
Section 2: Asset Classification and Control
At the end of this chapter, you should be able to explain the following topics:
Security management practices
Information security has long been considered to be purely related to Information Technology (IT) and its components that are technical in nature. In other words, technology-related controls are thought to be sufficient to mitigate the information security risks. However, this misconception is proved to be untrue as organizations started realizing that information security consists of management and administration related controls that may not be technical at all. For example, a firewall is a technical means of filtering traffic coming into and going out of an organization's IT network. The reason for using such a device is to allow legitimate packets of data in and out of the network and block unauthorized or malicious data from entering the internal network. Hence, it is a technical control. However, just installing a firewall may not provide a reasonable assurance in terms of security. The management based on its business objectives and information security policy determines the authorized traffic. This is a management control that specifies "what to allow". Based on the management policy, the firewall device has to be configured (fine-tuned) and needs to be monitored regularly to ensure it is working as expected (that it filters the traffic as per the policy requirement). This type of control specifies "how to allow" in the form of procedures and also monitors the implementation of the policy and its effectiveness. Hence, this type of control is called an administrative control. All three controls are required for assurance of effective information security.
Let us move on to understand the basic concepts of information security and the controls that are mentioned. In order to understand information security, we need to define the term "information". Information is a business asset that adds value to an organization. Information exists in many forms. It may be printed or written on paper, stored in electronic media, transmitted by electronic means, or passed on in conversations.
Information security management is characterized as preserving Confidentiality, Integrity and Availability (CIA) of information and related assets. These three concepts are referred to as the tenets of information security. The three tenets can be represented in a triangular format, and hence are called a CIA Triad. The following diagram illustrates the CIA Triad:
Note
Unless specifically defined, an entity can be personnel, a system, an application, or a process.
Every asset has a certain degree of assurance required to maintain the levels of CIA. It is not always necessary for all confidential information to be available all the time. For example, a business agreement or memorandum of understanding constitutes a legal document, and may be stored in a safe place such as a bank locker. Though the asset is highly confidential, its availability requirement is limited only to business hours. Similarly, the home page of a company web site is not confidential information, but the availability requirement is higher.
Authorized entities need to have access to the information. In order to facilitate such an access, there are two activities that come into play:
In addition to the two activities above, the system needs to ensure that the information security is assured by enforcing the following three concepts.
Once an entity is identified and authenticated, the system needs to control the access to the resources based on the entity's rights and permissions to access a particular resource. This is called authorization and this process determines the level of access allowed. For example a manager may have access to certain information, which a supervisor may not be allowed to access.
Once the authorization is in effect, it is important that the activities of the entity are limited to accessing the authorized resources. To ensure this, a monitoring activity is set in place. The activity of monitoring an entity's behavior in the system is known as accountability. Access logs and audit trails are some of the examples of this activity.
Most importantly, even when an authorized entity accesses the information, the level of confidentiality requirement of that information determines the actions that can be performed on the information. Whether the information can be copied, printed, or forwarded to third parties, and so on is determined by the confidentiality requirements. This requirement is known as privacy.
All the above concepts and activities form the basis of information security management. In order to ensure that these activities perform as expected, various checks and balances are introduced. These checks and balances are termed as control environment. We now move on to understand the control environment pertaining to security.
Control environment
The basis of a control environment is risk management. Based on the security risks that an organization faces, suitable controls are devised and deployed to mitigate such risks. A risk is a function of probability of a security event happening and the consequence of such an event, and risk is characterized by threats and vulnerabilities.
Note
Human loss would have been a disastrous consequence to the hurricane event "Gustav". One of the controls here is evacuation. However, long term controls could be predictability, containing global warming, and so on.
The primary objective of a control is to mitigate risks arising out of threats and vulnerabilities. At the macro level, there are three types of controls that are prevalent in organizations.
Management controls
Management controls are characterized to state the views of the management and its position on particular topics.
Information security policy is a management control policy wherein the management provides its views as well as support and direction for security.
Administrative controls
While a policy is a high-level document that shows the intent of the management, administrative controls are used to implement such policies.
Procedures, guidelines, and standards are administrative controls that support the policies.
Technical controls
Since information is stored and processed predominantly in IT systems, technical controls are used to support the management and administrative controls by technical means.
Firewall, Intrusion Detection Systems, Intrusion Prevention Systems, anti-spam, anti phishing, antivirus, and so on are examples of technical controls.
Besides these three broad levels of controls to ensure that information is secure, the following four types of controls are used as countermeasures to mitigate the risk arising out of the vulnerability exploitations in a system:
