security Management Practices

Let’s imagine for a moment what would numerous organizations and companies do without security management. I am convinced that they would face a serious problem. Such organizations risk being exposed to both external and internal threats. External threats are usually represented by such types of malicious software as spyware, worms, Trojans, true computer viruses and so on and so forth. Their list seems to be unlimited. As far as internal threats are concerned, here I mean leakage of important information, theft and corruption of data. If any of the mentioned above malicious software penetrates your computer or network, it may lead to information loss, data theft, etc.
That is why opposing to the increasing stream of hackers and malicious software, companies prefer protecting their business resorting to the help of security professionals. Every professional in security subject area is a qualified and skillful person who has passed the CISSP examination. CISSP is an exam offered by ISC organization that includes 250 questions covering 10 security domains. The goal is to gain at least 700 points in it. The list of security domains you can see below:
• Access Control & Methodology
• Applications & Systems Development
• Business Continuity & Disaster Recovery Planning
• Cryptography
• Law, Investigation & Ethics
• Operations Security
• Physical Security
• Security Architecture & Models
• Security Management Practices
• Telecommunications & Network Security
Now I would like to suggest that we discuss one of these security domains named Security Management Practices. It is this domain where such documents as guidelines, procedures and policies are introduced. It is also runs the identification of the company’s data assets. These documents are based on risk analysis and assessment, which helps to decide where protection mechanisms should be set. Security Management Practices domain is aimed at confidentiality, integrity and data availability guarantee. These three concepts form a so called CIA triangle, which is considered a basis of software security and protection. Talking about confidentiality, it restricts access to a certain file. However, confidentiality may be lost if an unintentional outlet of information takes place. Among threats that confidentiality faces there are keystroke monitoring, shoulder surfing and sniffing. The second component of the CIA triangle is integrity which is based on the concept that information is steadfast and was not modified. Both authorized and unauthorized users may cause the modification. Integrity also functions as an obstacle for data modifications while this is in transit or storage. And the last but not the least component is availability. This notion is pretty clear – if you are an authorized user, you have the right to use available data and resources. It wonders that the importance of these three concepts completely depends on what priorities and goals this or that organization puts in the first place.
Security Management Practices can be divided into five categories:
• Risk assessment
• Policy
• Implementation
• Training and education
• Auditing the security infrastructure
Let’s consider some of these categories. Talking about risk assessment it is worth mentioning that process is aimed at verifying risks in the business and puting them in a certain priority. Keep in mind that risk assessment is an important stage in security, which is part and parcel of stable security policy. As a rule risk assessment is run either by senior managers or by employees of lower levels. The first method is considered preferable. It allows detecting the most crucial points in the company’s security. What is more, risk assessment run by employees is likely to be a failure. The reason is the employees do not see risk and stable security practices. Even though they may manage to see them, as a rule they find it difficult to realize necessary implementation. Here an important role plays risk management that helps to verify threats the company faces thanks to vulnerability and threat analyzing. Risk Management’s major function is to determine what we should do with an uncovered risk.
Another category of Security Management Practices is Policy. Policy determines what to do after the risk has been estimated. Policy involves the following items: passwords, employee hiring, patch management, back up and termination practices and so on. All the process looks like that – senior management detects any risk that serves as a basis for creating documents, which are researches first and locked in then. In the documents it should be clearly stated who is to solve the problem, what is a risk level, etc. Security policy satisfies informative, advisory and regulatory needs, every one of which has its unique function.