Summary

In this chapter, we covered the key elements of physical security, social engineering, and the environment. This chapter also showed you how business continuity, information security, and access models work.

Physical security measures include access controls, physical barriers, and environmental systems. Environmental considerations include electrical, fire suppression, and interference issues.

Wireless cell technology is growing at a rapid rate worldwide. The newest technology, GSM, allows interchangeable modules, called SIMs, to be used for international access. United States and European standards are not interchangeable at this time. Many cell phone manufacturers are building cell phones that can operate in either environment equally well.

Security models must be concerned with physical security, security zones, partitioning, and the communications infrastructure. You should take a multilayered approach when you implement a security model.

Security models begin with an understanding of the business issues that the organization is facing. Business issues that must evaluated include:

  • Policies

  • Standards

  • Guidelines

A good policy design includes scoping statements, overview statements, accountability expectations, and exceptions. Each of these aspects of a well- crafted policy helps set the expectation for everyone in a company. For a policy to be effective, it needs the unequivocal support of the senior management or decision-makers in an organization.

A number of standards are being developed to implement security standards in organizations. One of the newest standards gaining support worldwide is the ISO 17799 standard. This standard identifies the 10 key areas that a security policy or model must include. Certification using this standard is obtained through an auditing function performed by an outside party or accrediting agency.

Business Continuity Planning is the process of making decisions about how losses, outages, and failures are handled within an organization. The key aspects of BCP are Business Impact Analysis and risk assessment.

BIA includes evaluating the critical functions of the organization. This information is used to make informed decisions about how to deal with outages should they occur.

Risk analysis is the process of evaluating and cataloging what threats, vulnerabilities, and weaknesses exist in the systems being used. The risk assessment should tie in with the BCP to ensure that all bases are covered.

Information classification is the process of determining what information is accessible to what parties and for what purposes. Classifications in industry are usually based upon cataloging information as public or private. Public information can be classified as either limited distribution or full distribution. Private information is usually classified as internal use or restricted.

Military and governmental organizations use a slightly different classification that is based around sensitivity and potential damage. The standard classifications for military data are Unclassified, Sensitive But Unclassified, Confidential, Secret, and Top Secret. Information is also compartmentalized by need-to-know, which limits access.

The primary roles in a security process include owner, custodian, and user. The owner of the data is responsible for determining access rights and uses. The custodian is responsible for maintaining and protecting data. The user is the person using the data to accomplish work.

Support roles in information classification include the security professional and the auditor. A security professional is a person who has access to the information and processes to ensure protection. An auditor is primarily concerned that processes and procedures are followed to protect information.

Access control models exist to categorize the usage of sensitive information. Three of the more common models are the Bell La-Padula model, the Biba model, and the Clark-Wilson model.

The Bell La-Padula model works on the philosophy that you cannot read up beyond your level of classification or write down to a lower classification. This model is primarily concerned with information security.

The Biba model is designed to prevent a user from writing up or reading down. This means that a user cannot write information up to a higher level or read information down at a lower level than they are authorized to access. The Biba model is designed to provide data integrity, as opposed to information security.

The Clark-Wilson model requires that all data access occur through controlled access programs. The programs dictate what information can be used and how it can be accessed. This is a very common model in software development systems.



CompTIA Security+ Study Guide. Exam SY0-101
Security+ Study Guide
ISBN: 078214098X
EAN: 2147483647
Year: 2006
Pages: 167

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net