1
© 2011 by Taylor & Francis Group, LLC
Chapter 1
Enterprise Security
Management Practices
James Litchko
Contents
Introduction ..........................................................................................................2
Mission Statements ...........................................................................................3
Business Functions ............................................................................................6
Group Business Processes ..................................................................................7
Identity Management .......................................................................................8
Compliance ......................................................................................................8
Cultural Expectations .....................................................................................10
External Inuences .........................................................................................11
Inuence Summary .........................................................................................12
Information Security Concepts ............................................................................13
System Security Requirements ........................................................................13
Security Impact Analysis .................................................................................14
Security Categorization Process .......................................................................16
Information Classication ..............................................................................18
Securing Classied Information ......................................................................23
Security Boundary ..........................................................................................23
System Security Program Inuences Summary ................................................25
System Development Life Cycle (SDLC).............................................................26
Enterprise System Security Framework ................................................................27
Enterprise Security Policy ...............................................................................28
Standards and Guidelines................................................................................31
Leveraging Externals to Produce Internals .......................................................33
2 ◾  Ofcial (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
Introduction
e Enterprise Security Management Practices domain addresses the fundamental
requirements for a security program. It embraces the concepts of security from an
enterprise-wide perspective, denes the role of policy, and supports the establish-
ment of an eective security department. An expert in this domain understands the
relationship between security policy and the business requirements of the organiza-
tion as reected through mission, goals, and objectives. In addition, an expert will
be cognizant of the individual and sometimes conicting objectives of dierent
business units and will be familiar with the requirement of due care and diligence
when conducting operations across political, regulatory, or market boundaries.
is domain requires an understanding of risk management through risk, threat,
and impact assessment, risk mitigation, and controls. It also highlights the value of
data classication, the certication and accreditation process, and change control.
An enterprise security manager establishes training and awareness programs
that cover topics such as security policy, roles and responsibilities, acceptable use
of system resources, and security procedures. Training should also cover incident
handling and compliance with legal requirements.
e management tasks that an enterprise security manager will face are diverse
and extensive. While individual responsibilities will vary according to organiza-
tional priorities, the following key areas of knowledge encompass many of the
duties of an enterprise security manager:
Understand the goals, mission, and the objectives of the organization from
an enterprise perspective.
Apply the concepts of availability, integrity, and condentiality to the enterprise.
Develop an enterprise-wide security policy.
Develop and implement security processes.
Develop an enterprise-wide security plan.
Risk Management Program .................................................................................35
Risk Management Components ......................................................................37
Evaluation and Assurance .............................................................................. 42
Procedures and Processes ............................................................................... 44
Service Level Agreements ................................................................................47
Interconnections .............................................................................................48
Countermeasures Evaluation and Recommendation .......................................49
Information System Security Cycles ....................................................................51
Roles and Responsibilities ...................................................................................54
Resourcing Security ........................................................................................59
Security Awareness, Education, and Training ................................................. 66
Chapter Summary ...............................................................................................69
Review Questions ................................................................................................70

Get Official (ISC)2® Guide to the ISSMP® CBK® now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial