One of the most recognized and respected
security certifications is the Certified Information Systems
Security Professional (CISSP) certification. The CISSP program
focuses on ISC2's Common Body of Knowledge (CBK), which arranges
security information into 10 vendor-neutral subject areas, or
These domains focus on industry principles and
standards that organizations can apply through policies and
procedures to increase the security of their network. So, while you
may not be currently studying for CISSP certification, that doesn't
mean your organization can't benefit from enhancing its
understanding of these main security areas.
The three major security domains most easily
applied to an operational network are Security Management
Practices, Access Control Systems and Methodology, and Operations
Security. Let's take a closer look.
Security Management Practices
Organizations can implement security management
through a security program that encompasses the following:
Policies: Broadly written
by senior management, these policies control the type of role that
security plays in an organization. They provide guidance for all
security activities within the organization.
Standards: These principles
specify the use of hardware and software products throughout a
network, and they ensure the deployment of specific technologies,
applications, and procedures in a uniform manner across the
step-by-step actions describe how to accomplish specific tasks
within a network, such as creating user accounts or granting access
to file resources.
Baselines: These metrics
delineate the minimum level of security necessary throughout a
network. For example, a baseline might describe the practice of
disabling all nonessential services and applying security patches
before the deployment of equipment.
principles are recommended actions to users and administrators for
events that an existing policy, standard, or procedure doesn't
analysis: This is the process of identifying risks and
assessing possible damage in order to justify security safeguards.
The goal of risk analysis is to identify risks, quantify the impact
of probable threats, and provide an economic balance between the
impact of the risk and the cost of deploying a countermeasure.
Access Control Systems and Methodology
The purpose of access control is to provide the
Confidentiality of data:
This involves preventing the disclosure of data to unauthorized
individuals, programs, or processes.
Integrity: Data must remain
free from intentional or unintentional errors and protected from
systems, and resources must be available to users and customers for
Organizations implement administrative access
control through policies and training, and they implement technical
access controls through hardware and software configuration. Proper
execution of access controls creates secure operating
Companies implement operational security
through controls used to protect hardware, software, and resources
from internal or external intruders as well as authorized users
improperly accessing network resources.
Preventive controls: These measures minimize
unintentional errors that enter the network and prevent intruders
from accessing system resources (e.g., file permissions).
Detective controls: These
controls detect errors and intrusions, such as viruses and
Corrective controls: These
measures mitigate the impact of a resource loss through recovery
procedures (e.g., tape backups).
Deterrent controls: These
controls promote compliance with policies and procedures (e.g., Web
Organizations can maintain operations security
through configuration management that emphasizes change control
procedures and least privilege principles.
Network security is an evolving process. By
using industry-standard security principles to govern the daily
operations of your network, you can perform due diligence and
justify the expenses you need to keep your company's network
Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.