Exam Objectives Fast Track

Principles of Security

  • The system must maintain accountability for all users of the system.

  • Authentication methods ensure the identity of users on the system. The use of more than one form of authentication gives a higher level of assurance for the user's identity.

  • Users should only be given as much access to the system as is required to perform their job duties.

Goals of Information Security

  • Confidentiality ensures that information in a system is not disclosed to unauthorized individuals.

  • Integrity ensures that information is not tampered with or changed without proper authorization.

  • Availability addresses the concerns of having information available for the organization when it is needed and denying an intruder the ability to make that information unavailable for use.

  • The life cycle of information security is a revolving process to constantly test for security changes in the environment and adopt methods to mitigate those risks.

Terms and Definitions

  • Acceptance means that a system meets all security and functional requirements and can be adopted into an operational environment.

  • Accreditation designates a system as safe to use in an operational environment because all security concerns about the system have been addressed adequately.

  • Certification is the end result of an in-depth evaluation of the system in question to determine if it operates securely. The certification process also details how well the security measures in place address security concerns.

  • Assurance simply defines the levels of confidence an organization has that the security characteristics of a system are complete and will protect the critical information within. Systems with better security controls in place are said to have a higher level of assurance.

Involvement with Development Groups

  • Quality assurance, auditing, and information security practices play a major role in the release of secure and functional products within an organization.

  • Policies, laws, regulations, and contract obligations must all be met when a final product is released.

  • The application or system being developed must meet all required security functionality prior to being released.

  • The application or system being developed must meet all functionality requirements prior to being released. All functions within the system or application must be tested for process integrity.

  • Operational tests are performed on the final product to ensure that it functions as expected with no unintended side effects.

Separation of Duties

  • Developers should not conduct official final tests or evaluations on their own product. Objective third parties should be brought in for testing.

  • Security administrators should not conduct official security audits on their own systems. Objective third parties should be brought in for testing.

  • No individual within an organization should be responsible for approving their own work. Objective third parties should be brought in for the approval process.

Risk Assessment

  • Risk assessments define the actual risk to an organization's information assets.

  • Critical information within the organization is identified and prioritized based on the impact to organizational mission statements.

  • Risks towards those assets are identified.

  • A minimum acceptable level of loss is identified for each critical information type within the organization.

  • Solutions are presented for the mitigation of risk for each information asset based on financial, legal, or operational constraints. These solutions are presented in the organizational security management plan.

Potential Vulnerabilities

  • Malicious code is a piece of computer code intended to harm, destroy, or tamper with an information system or to allow unauthorized access to the system. Viruses, worms, Trojan horses, and logic bombs are all forms of malicious code.

  • Data problems occur when intruders are able to infer larger pieces of information based on smaller bits of information that are leaked from the system. Erroneous memory management or process corruption can cause information leakage.

  • Access problems consist from back doors, covert channels, and poor physical access controls. These problems result in the unauthorized access to information systems within an organization.

System Architecture: Modes of Operation

  • System high mode is used on systems where all users have the authority and clearance levels required to view the information in the system, but may not necessarily have the required "need to know."

  • Compartment mode is used on systems where all users have the required authority and the clearance levels, and also have some level of "need to know" for the information in the system.

  • Multi-level secure mode is used on systems where not all users on the system have the approval or the "need to know" for every piece of information in the system.

Change Control

  • Change control ensures that operational systems do not break down due to configuration changes in the system.

  • All configuration changes must go through an approval process.

  • All configuration changes must be reversed through the use of a rollback process to ensure the system can be made operational again in the event of a poor configuration change.

  • Configuration changes should be tracked and controlled. Working configurations can be verified through the use of checksums, digital signatures, host-based IDSs, and configuration management software solutions.

System Security Architecture Concepts

  • Hardware segmentation protects memory spaces within a system through the use of kernel controls. Processes are given just enough protected memory space to load the process and complete the transaction.

  • The reference monitor within a system is a virtual machine that controls access to all objects and files in that system based on the authority of the user. This includes data files as well as physically connected peripherals and hosts.

  • High security mode controls access to different levels of classified information so only individuals that meet access requirements can utilize system processes and data.

  • Data protection mechanisms protect critical information within a system through data abstraction and data hiding. Processes and memory within the system are segmented and protected from each other.

Data Classification

  • Data classifications are designations intended to protect information from unauthorized disclosure.

  • Top Secret is the designation given to information that could cause catastrophic impact to an organization if it is disclosed outside the organization.

  • Secret is the designation given to information that would have a severe impact on an organization if it is disclosed to unauthorized individuals.

  • Confidential is the designation given to personal information that would have low impact on an organization if disclosed to unauthorized individuals.

  • Unclassified is the designation given to all other information in the organization that does not fit into the other categories. Unauthorized disclosure would not have a serious impact on an organization.

Employment Policies and Practices

  • Organizations control the security risks posed by workers through the use of policies and procedures.

  • Background checks verify information given by potential employees to an organization. They also help identify potential problem areas before the new employees are brought on board.

  • The separation of duty ensures that workers only have access to a small piece of the information in an organization. Leakage of information from an employee will not compromise the entire information system.

  • Employment agreements, like the non-compete and non-disclosure, protect the assets of an organization and give legal recourse in the event of a breach of these agreements.

  • Termination policies set the procedures for the termination of employees and helps remind employees of their responsibilities concerning the non-disclosure of information. It also ensures that all access is revoked upon termination.

Awareness

  • Security awareness educates employees on organizational policies and procedures concerning security at the organization.

  • Employees are educated when hired.

  • Security awareness training has to be supported by upper management to be successful.

  • Managers must lead the security process by example.

  • Clean desk spot checks help to ensure policies and procedures are being practiced by all employees.

Security Management Planning

  • Define the organizational mission.

  • Determine areas of priority for protection.

  • Determine risks and threats to priority areas.

  • Create security plan to address threats to priority areas.

  • Get upper management buy-in for the security plan.



SSCP Systems Security Certified Practitioner Study Guide
SSCP Study Guide and DVD Training System
ISBN: 1931836809
EAN: 2147483647
Year: 2003
Pages: 135

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net