Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
CISSP in 21 Days

You're reading from   CISSP in 21 Days Boost your confidence and get the competitive edge you need to crack the exam in just 21 days!

Arrow left icon
Product type Paperback
Published in Jun 2016
Publisher
ISBN-13 9781785884498
Length 402 pages
Edition 2nd Edition
Arrow right icon
Author (1):
Arrow left icon
M. L. Srinivasan M. L. Srinivasan
Author Profile Icon M. L. Srinivasan
M. L. Srinivasan
Arrow right icon
View More author details
Toc

Table of Contents (22) Chapters Close

Preface 1. Day 1 – Security and Risk Management - Security, Compliance, and Policies FREE CHAPTER 2. Day 2 – Security and Risk Management - Risk Management, Business Continuity, and Security Education 3. Day 3 – Asset Security - Information and Asset Classification 4. Day 4 – Asset Security - Data Security Controls and Handling 5. Day 5 – Exam Cram and Practice Questions 6. Day 6 – Security Engineering - Security Design, Practices, Models, and Vulnerability Mitigation 7. Day 7 – Security Engineering - Cryptography 8. Day 8 – Communication and Network Security - Network Security 9. Day 9 – Communication and Network Security - Communication Security 10. Day 10 – Exam Cram and Practice Questions 11. Day 11 – Identity and Access Management - Identity Management 12. Day 12 – Identity and Access Management - Access Management, Provisioning, and Attacks 13. Day 13 – Security Assessment and Testing - Designing, Performing Security Assessment, and Tests 14. Day 14 – Security Assessment and Testing - Controlling, Analyzing, Auditing, and Reporting 15. Day 15 – Exam Cram and Practice Questions 16. Day 16 – Security Operations - Foundational Concepts 17. Day 17 – Security Operations - Incident Management and Disaster Recovery 18. Day 18 – Software Development Security - Security in Software Development Life Cycle 19. Day 19 – Software Development Security - Assessing effectiveness of Software Security 20. Day 20 – Exam Cram and Practice Questions 21. Day 21 – Exam Cram and Mock Test

Overview of security, compliance, and policies

Asset protection forms the baseline for security. Unintended disclosure and unauthorized modification or destruction of an asset can affect security.

Observe the following illustration:

Overview of security, compliance, and policies
  • Asset requires protection
  • Protection is based on the requirements of Confidentiality, Integrity and Availability (CIA) for the
  • Security is ensured through Security Governance that comprises management practices and management oversight
  • Security is demonstrated through compliance that could be legal or regulatory
  • Compliance consists of adherence to applicable legal and regulatory requirements; applicable policies, standards, procedures and guidelines; and personnel security policies
  • Compliance can be affected by security issues

Asset

Assets can be tangible, that is, perceptible by touch. An example of a tangible asset could be a desktop computer or a laptop. Assets can be intangible, that is, not have physical presence. An example of an intangible asset could be a corporate image or an intellectual property, such as patents.

Assets are used by the organization for business processes. Every asset, whether tangible or intangible, has a certain intrinsic value to the business. The value can be monetary, or of importance, or both. For example, a simple firewall that costs less than $10000 may be protecting important business applications worth millions of dollars.

If an asset is compromised, for example, stolen or modified, and the data or a secret information is disclosed, it will have an impact that could lead to monetary loss, customer dissatisfaction, or legal and regulatory non-compliance.

An asset can be hardware, software, data, process, product, or infrastructure that is of value to an organization, and hence, needs protection. The level of protection is based on the value of the asset to the business.

To assess protection requirements, assets are grouped based on the type of assets, such as tangible or intangible, physical or virtual, and computing or noncomputing. For example, a computer can be a physical asset as well as a computing asset, such as hardware.

Note

Note that equipment, such as plumbing tools, can also be called hardware in some countries. However, in the information security domain, hardware generally implies computing and computer-related equipment.

Assets are generally grouped as follows:

  • Physical assets: They are tangible in nature and examples include buildings, furniture, Heating, Ventilating and Air Conditioning (HVAC) equipment, and so on.
  • Hardware assets: They are related to computer and network systems. Examples include, servers, desktop computers, laptop, router, network cables and so on.
  • Software assets: They are intangible assets that an organization owns a license to use. In general, organizations may not have Intellectual Property Rights (IPR) over such assets. Examples include, Operating Systems (OS), Data Base Management Systems (DBMS), office applications, web server software, and so on.
  • Information assets: They are intangible in nature. They are owned by the organization. Examples include, business processes, policies and procedures, customer information, personnel information, agreements, and formulas developed in-house or purchased outright.
  • Personnel assets: People associated with the organization, such as employees, contractors, and third-party consultants, are grouped under this type.

Note

Note that, in certain accounting practices, software can also be classified under Property, Plant and Equipment (PPE). However, in the information security domain, software is classified as an intangible asset. Besides, software or information may be stored in hardware or physical assets, such as on hard disk or DVD.

Asset protection

In the information security domain, asset protection involves security management practices that are subjected to business and compliance requirements. Such practices for asset protection are called security controls.

Types of security controls include:

  • Physical entry controls to an office building that allow only authorized personnel
  • Monitoring controls, such as CCTV, for surveillance of critical assets
  • Controls, such as locks, for hardware assets for protection from theft
  • Tamper proofing controls, such as hashing and encryption, for software and data asset
  • Copyrights or patent for information assets to protect legal rights
  • Identity management systems to protect personnel assets from identity theft

This is not a comprehensive list of security controls. This book provides hundreds of such requirements and controls in subsequent chapters. However, a requirement or a control is not determined ad-hoc. Instead, asset protection requirements are identified through a structured method of risk analysis, evaluation, and assessment. Similarly, controls are identified through risk mitigation strategies. Risk assessment and risk mitigation strategies are covered in the next chapter.

Hence, asset protection requirements are based on risk. In order to understand risk, to perform risk assessment and select controls for asset protection, the concepts of CIA have to be understood first.

You have been reading a chapter from
CISSP in 21 Days - Second Edition
Published in: Jun 2016
Publisher:
ISBN-13: 9781785884498
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image