Home > Articles > Other IT Certifications > CISSP

CISSP Security-Management Practices

  • Print
  • + Share This
This chapter provides an overview of security management with an eye towards passing the CISSP exam, including sample questions with detailed answers to help you prepare.
This chapter is from the book

This chapter is from the book

For more information on Security, visit our Security Reference Guide or sign up for our Security Newsletter

Terms you'll need to understand:

  • Confidentiality

  • Integrity

  • Availability

  • Threat

  • Vulnerability

  • Public/private data classification

  • Government data classification

  • Risk

  • SLE

  • Residual risk

  • ALE

Techniques you'll need to master:

  • Risk management

  • Qualitative analysis

  • Quantitative analysis

  • Data-classification criteria

  • Security roles

  • Risk calculations

Introduction

This chapter helps the reader prepare for the security-management domain. Security management addresses the identification of the organization’s information assets. The security-management domain also introduces some critical documents, such as policies, procedures, and guidelines. These documents are of great importance because they spell out how the organization manages its security practices and details what is most important to the organization.

These documents are not developed in a void. Senior management helps point out the general direction, and risk-assessment and risk-analysis activities are used to determine where protective mechanisms should be placed. This chapter also introduces the two ways to calculate risk: qualitatively and quantitatively.

Finally, it’s important to not forget the employees. Employees need to be trained on what good security is and what they can do to ensure that good security is always practiced in the workplace. The goal here, as in other domains, is to ensure confidentiality, integrity, and availability of the organization’s assets and information. This chapter divides security-management practices into five broad categories:

  • Risk assessment

  • Policy

  • Implementation

  • Training and education

  • Auditing the security infrastructure

Before we jump into these topics and look at the ways in which informational assets are protected, let’s talk briefly about the risks of poor security management and the role of confidentiality, integrity, and availability.

  • + Share This
  • 🔖 Save To Your Account