Introduction

Welcome to the world of security administration. The topics covered in this chapter are some of the most common topics within the computer security industry. They form the basis for what security professionals do all around the world. Access control, information classification, risk assessment and mitigation, and the change management process are all pieces of the puzzle that are put together in this chapter. In many respects, these topics form the basis for the rest of the SSCP Common Body of Knowledge (CBK).

Ideally, all of these areas are addressed in a comprehensive security policy. Security analysts understand that security policies set the stage for the entire security program at any organization. But in order for the policies or the practices to be enforceable and adhered to, the upper management of the organization must understand and agree with the policies. Some of the information in this chapter shows how these topical areas impact the security of an organization. They revolve around defining the critical information assets within an organization, identifying the threats and risks to those assets, and coming up with solutions to eliminate or mitigate those threats. The key to management "buy-in" on these security practices lies in showing them a return on investment that includes, avoiding the potential executive liability associated with a compromise, understanding the costs involved in recovering from a compromise, and the decrease in system down time.

Contrary to popular belief, it is not possible to eliminate every risk to an organization's information assets. Security is about managing and mitigating the risk to an organization, not eliminating it completely. Anyone who says they can guarantee 100 percent security without impacting operations is not being completely truthful. Constraints such as regulations, standards, or laws will have a significant impact on the security solutions implemented to address risk. Depending on the vertical marketplace the organization operates within will give you a good idea of what regulations they are subject to. Healthcare agencies are liable for adhering to The Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulations. Financial institutions may fall under SAS 70 or Gramm-Leach-Bliley (GLB). Aside from these regulatory constraints, the organization may have financial constraints (budget limitations due to poor performance) or operational constraints (network degradation is unacceptable or operations cannot be impacted).

Some basic concepts of access control, such as least privilege, separation of duties, and accountability are covered. These concepts provide a philosophy for how much access a user should have to a particular system and also how they are held accountable for their actions while utilizing the system. This chapter defines these terms and provides a basic understanding of what they want to achieve and how they fit into the rest of the security architecture.

Risk assessments provide a methodology for defining what information assets are important to the organization and what vulnerabilities put those assets at risk for compromise. Solutions are provided for each of the findings resulting from a risk assessment, and each solution should take the organizational constraints into consideration. Each risk assessment must consider the concepts of confidentiality, integrity, and availability (CIA). This chapter provides information on the risk assessment process and how to develop quality recommendations for risk mitigation that take the organizational constraints, CIA, and other considerations into account.

This chapter will also introduce some forms of malicious code that have wreaked havoc on organizations connected to the Internet for at least the last 10 years. Programs such as viruses, Trojan Horses, worms, and logic bombs are briefly introduced, but will be discussed in more depth in Chapter 8. Security education is discussed as a method for teaching users how to spot these types of attacks and make informed decisions to protect organization information assets.