This chapter helps the reader prepare for the security-management domain. Security management addresses the identification of the organization's information assets. The security-management domain also introduces some critical documents, such as policies, procedures, and guidelines. These documents are of great importance because they spell out how the organization manages its security practices and details what is most important to the organization.
These documents are not developed in a void. Senior management helps point out the general direction, and risk-assessment and risk-analysis activities are used to determine where protective mechanisms should be placed. This chapter also introduces the two ways to calculate risk: qualitatively and quantitatively.
Finally, it's important to not forget the employees. Employees need to be trained on what good security is and what they can do to ensure that good security is always practiced in the workplace. The goal here, as in other domains, is to ensure confidentiality, integrity, and availability of the organization's assets and information. This chapter divides security-management practices into five broad categories:
Before we jump into these topics and look at the ways in which informational assets are protected, let's talk briefly about the risks of poor security management and the role of confidentiality, integrity, and availability.