CISSP Domain 3 : SECURITY MANAGEMENT PRACTICES

.Overview

Security management entails the identification of an organization's information assets and the development, documentation, and implementation of policies, standards, procedures and guidelines that ensure confidentiality, integrity, and availability. Management tools such as data classification, risk assessment, and risk analysis are used to identify the threats, classify assets, and to rate their vulnerabilities so that effective security controls can be implemented.

Risk management is the identification, measurement, control, and minimization of loss associated with uncertain events or risks. It includes overall security review, risk analysis; selection and evaluation of safeguards, cost benefit analysis, management decision, safeguard implementation, and effectiveness review. The candidate will be expected to understand the planning, organization, and roles of individuals in identifying and securing an organization's information assets; the development and use of policies stating management's views and position on particular topics and the use of guidelines, standards, and

procedures to support the policies; security awareness training to make employees aware of the importance of information security, its significance, and the specific security-related requirements relative to their position; the importance of confidentiality, proprietary and private information; employment agreements; employee hiring and termination practices; and risk management practices and tools to identify, rate, and reduce the risk to specific resources.

Key Areas of Knowledge

§ Security Management Concepts and Principles

§ Privacy

§ Confidentiality

§ Integrity

§ Availability

§ Authorization

§ Identification and Authentication

§ Accountability

§ Non-repudiation

§ Documentation

§ Audit

§ CIA Triad

§ Protection Mechanisms

§ Layering

§ Abstraction

§ Data Hiding

§ Encryption

§ Change Control/Management

§ Hardware Configuration

§ System and Application Software

§ Change Control Process

§ Data Classification

§ Objectives of a Classification Scheme

§ Criteria by Which Data is Classified

§ Commercial Data Classification

§ Government Data Classification

§ Information/Data

§ Worth/Valuation

§ Collection and Analysis Techniques

§ Employment Policies and Practices

§ Background Checks/Security Clearances

§ Employment Agreements

§ Hiring and Termination Practices

§ Job Descriptions

§ Roles and Responsibilities

§ Separation of Duties and Responsibilities

§ Job Rotations

§ Policies, Standards, Guidelines and Procedures

§ Risk Management

§ Principles of Risk Management

§ Threats and Vulnerabilities

§ Probability Determination

§ Asset Valuation

§ Risk Assessment Tools and Techniques

§ Qualitative vs. Quantitative Risk Assessment Methodologies

§ Single Occurrence Loss

§ Annual Loss Expectancy (ALE) Calculations

§ Countermeasure Selection

§ Countermeasure Evaluation

§ Risk Reduction/Assignment/Acceptance

§ Roles and Responsibilities

§ Management

§ Owner

§ Custodian

§ Users

§ IS/IT Function

§ Other individuals

§ Security Awareness Training

§ Security Management Planning