Put CISSP focus areas to use on your network

Take a look at the three major security domains that are most easily applied to an operational network: Security Management Practices, Access Control Systems and Methodology, and Operations Security.

One of the most recognized and respected security certifications is the Certified Information Systems Security Professional (CISSP) certification. The CISSP program focuses on ISC2's Common Body of Knowledge (CBK), which arranges security information into 10 vendor-neutral subject areas, or "security domains."

These domains focus on industry principles and standards that organizations can apply through policies and procedures to increase the security of their network. So, while you may not be currently studying for CISSP certification, that doesn't mean your organization can't benefit from enhancing its understanding of these main security areas.

The three major security domains most easily applied to an operational network are Security Management Practices, Access Control Systems and Methodology, and Operations Security. Let's take a closer look.

Security Management Practices

Organizations can implement security management through a security program that encompasses the following:

  • Policies: Broadly written by senior management, these policies control the type of role that security plays in an organization. They provide guidance for all security activities within the organization.
  • Standards: These principles specify the use of hardware and software products throughout a network, and they ensure the deployment of specific technologies, applications, and procedures in a uniform manner across the organization.
  • Procedures: These step-by-step actions describe how to accomplish specific tasks within a network, such as creating user accounts or granting access to file resources.
  • Baselines: These metrics delineate the minimum level of security necessary throughout a network. For example, a baseline might describe the practice of disabling all nonessential services and applying security patches before the deployment of equipment.
  • Guidelines: These principles are recommended actions to users and administrators for events that an existing policy, standard, or procedure doesn't address.
  • Risk analysis: This is the process of identifying risks and assessing possible damage in order to justify security safeguards. The goal of risk analysis is to identify risks, quantify the impact of probable threats, and provide an economic balance between the impact of the risk and the cost of deploying a countermeasure.

Access Control Systems and Methodology

The purpose of access control is to provide the following:

  • Confidentiality of data: This involves preventing the disclosure of data to unauthorized individuals, programs, or processes.
  • Integrity: Data must remain free from intentional or unintentional errors and protected from unauthorized modification.
  • Availability: Data, systems, and resources must be available to users and customers for daily operations.

Organizations implement administrative access control through policies and training, and they implement technical access controls through hardware and software configuration. Proper execution of access controls creates secure operating environments.

Operations Security

Companies implement operational security through controls used to protect hardware, software, and resources from internal or external intruders as well as authorized users improperly accessing network resources.

  • Preventive controls: These measures minimize unintentional errors that enter the network and prevent intruders from accessing system resources (e.g., file permissions).
  • Detective controls: These controls detect errors and intrusions, such as viruses and attacks.
  • Corrective controls: These measures mitigate the impact of a resource loss through recovery procedures (e.g., tape backups).
  • Deterrent controls: These controls promote compliance with policies and procedures (e.g., Web content filtering).

Organizations can maintain operations security through configuration management that emphasizes change control procedures and least privilege principles.

Final thoughts

Network security is an evolving process. By using industry-standard security principles to govern the daily operations of your network, you can perform due diligence and justify the expenses you need to keep your company's network secure.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

Editor's Picks

Free Newsletters, In your Inbox