One of the most recognized and respected
security certifications is the Certified Information Systems
Security Professional (CISSP) certification. The CISSP program
focuses on ISC2’s Common Body of Knowledge (CBK), which arranges
security information into 10 vendor-neutral subject areas, or
“security domains.”

These domains focus on industry principles and
standards that organizations can apply through policies and
procedures to increase the security of their network. So, while you
may not be currently studying for CISSP certification, that doesn’t
mean your organization can’t benefit from enhancing its
understanding of these main security areas.

The three major security domains most easily
applied to an operational network are Security Management
Practices, Access Control Systems and Methodology, and Operations
Security. Let’s take a closer look.

Security Management Practices

Organizations can implement security management
through a security program that encompasses the following:

  • Policies: Broadly written
    by senior management, these policies control the type of role that
    security plays in an organization. They provide guidance for all
    security activities within the organization.
  • Standards: These principles
    specify the use of hardware and software products throughout a
    network, and they ensure the deployment of specific technologies,
    applications, and procedures in a uniform manner across the
    organization.
  • Procedures: These
    step-by-step actions describe how to accomplish specific tasks
    within a network, such as creating user accounts or granting access
    to file resources.
  • Baselines: These metrics
    delineate the minimum level of security necessary throughout a
    network. For example, a baseline might describe the practice of
    disabling all nonessential services and applying security patches
    before the deployment of equipment.
  • Guidelines: These
    principles are recommended actions to users and administrators for
    events that an existing policy, standard, or procedure doesn’t
    address.
  • Risk
    analysis:     This is the process of identifying risks and
    assessing possible damage in order to justify security safeguards.
    The goal of risk analysis is to identify risks, quantify the impact
    of probable threats, and provide an economic balance between the
    impact of the risk and the cost of deploying a countermeasure.

Access Control Systems and Methodology

The purpose of access control is to provide the
following:

  • Confidentiality of data:
    This involves preventing the disclosure of data to unauthorized
    individuals, programs, or processes.
  • Integrity: Data must remain
    free from intentional or unintentional errors and protected from
    unauthorized modification.
  • Availability: Data,
    systems, and resources must be available to users and customers for
    daily operations.

Organizations implement administrative access
control through policies and training, and they implement technical
access controls through hardware and software configuration. Proper
execution of access controls creates secure operating
environments.

Operations Security

Companies implement operational security
through controls used to protect hardware, software, and resources
from internal or external intruders as well as authorized users
improperly accessing network resources.

  • Preventive controls: These measures minimize
    unintentional errors that enter the network and prevent intruders
    from accessing system resources (e.g., file permissions).
  • Detective controls: These
    controls detect errors and intrusions, such as viruses and
    attacks.
  • Corrective controls: These
    measures mitigate the impact of a resource loss through recovery
    procedures (e.g., tape backups).
  • Deterrent controls: These
    controls promote compliance with policies and procedures (e.g., Web
    content filtering).

Organizations can maintain operations security
through configuration management that emphasizes change control
procedures and least privilege principles.

Final thoughts

Network security is an evolving process. By
using industry-standard security principles to govern the daily
operations of your network, you can perform due diligence and
justify the expenses you need to keep your company’s network
secure.

Worried about security issues? Who isn’t? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.