CISSP - Certified Information Systems Security Professional Study Guide, 2nd Edition (2004)

412 Chapter 13 Administrative Management

Understand the need-to-know concept and the principle of least privilege. Need-to-know and the principle of least privilege are two standard axioms of high-security environments. To gain access to data or resources, a user must have a need to know. If users do not have a need to know, they are denied access. The principle of least privilege means that users should be granted the least amount of access to the secure environment as possible for them to be able to complete their work tasks.

Understand privileged operations functions. Privileged operations functions are activities that require special access or privilege to perform within a secured IT environment. For maximum security, such functions should be restricted to administrators and system operators.

Know the standards of due care and due diligence. Due care is using reasonable care to protect the interest of an organization. Due diligence is practicing the activities that maintain the due care effort. Senior management must show reasonable due care and due diligence to reduce their culpability and liability when a loss occurs.

Understand how to maintain privacy. Maintaining privacy means protecting personal information from disclosure to any unauthorized individual or entity. In today’s online world, the line between public information and private information is often blurry. The protection of privacy should be a core mission or goal set forth in the security policy of an organization.

Know the legal requirements in your region and field of expertise. Every organization operates within a certain industry and country, both of which impose legal requirements, restrictions, and regulations on its practices. Legal requirements can involve licensed use of software, hiring restrictions, handling of sensitive materials, and compliance with safety regulations.

Understand what constitutes an illegal activity. An illegal activity is an action that violates a legal restriction, regulation, or requirement. A secure environment should provide mechanisms to prevent illegal activities from being committed and the means to track illegal activities and maintain accountability from the individuals perpetrating the crimes.

Know the proper procedure for record retention. Record retention is the organizational policy that defines what information is maintained and for how long. In most cases, the records in question are audit trails of user activity. This can include file and resource access, logon patterns, e-mail, and the use of privileges.

Understand the elements of securing sensitive media. Managing information and media properly, especially in a high-security environment where sensitive, confidential, and proprietary data is processed, is crucial to the security and stability of an organization. In addition to media selection, there are several key areas of information and media management: marking, handling, storage, life-span, reuse, and destruction.

Know and understand the security control types. There are several methods used to classify security controls. The classification can be based on the nature of the control (administrative, technical/logical, or physical) or on the action or objective of the control (directive, preventative, detective, corrective, and recovery).

Know the importance of control transparency. When possible, operations controls should be invisible or transparent to users to prevent users from feeling that security is hampering their

Exam Essentials 413

productivity. Likewise, the less users know about the security of the system, the less likely they will be able to circumvent it.

Understand how to protect resources. The operations controls for resource protection are designed to provide security for the IT environment’s resources, including hardware, software, and data assets. To maintain confidentiality, integrity, and availability of the hosted assets, the resources themselves must be protected.

Be able to explain change and configuration control management. Change in a secure environment can introduce loopholes, overlaps, misplaced objects, and oversights that can lead to new vulnerabilities. Therefore, you must systematically manage change by logging, auditing, and monitoring activities related to security controls and security mechanisms. The resulting data is then used to identify agents of change, whether they are objects, subjects, programs, communication pathways, or even the network itself. The goal of change management is to ensure that any change does not lead to reduced or compromised security.

Understand the trusted recovery process. The trusted recovery process ensures that a system is not breached during a crash, failure, or reboot and that every time they occur, the system returns to a secure state.

414 Chapter 13 Administrative Management

Review Questions

1.Personnel management a form of what type of control?

A.Administrative

B.Technical

C.Logical

D.Physical

2.What is the most common means of distribution for viruses?

A.Unapproved software

B.E-mail

C.Websites

D.Commercial software

3.Which of the following causes the vulnerability of being affected by viruses to increase?

A.Length of time the system is operating

B.The classification level of the primary user

C.Installation of software

D.Use of roaming profiles

4.In areas where technical controls cannot be used to prevent virus infections, what should be used to prevent them?

A.Security baselines

B.Awareness training

C.Traffic filtering

D.Network design

5.Which of the following is not true?

A.Complying with all applicable legal requirements is a key part of sustaining security.

B.It is often possible to disregard legal requirements if complying with regulations would cause a reduction in security.

C.The legal requirements of an industry and of a country should be considered the baseline or foundation upon which the remainder of the security infrastructure must be built.

D.Industry and governments impose legal requirements, restrictions, and regulations on the practices of an organization.

6.Which of the following is not an illegal activity that can be performed over a computer network?

A.Theft

B.Destruction of assets

C.Waste of resources

D.Espionage

7.Who does not need to be informed when records about their activities on a network are being recorded and retained?

A.Administrators

B.Normal users

C.Temporary guest visitors

D.No one

8.What is the best form of antivirus protection?

A.Multiple solutions on each system

B.A single solution throughout the organization

C.Concentric circles of different solutions

D.One-hundred-percent content filtering at all border gateways

9.Which of the following is an effective means of preventing and detecting the installation of unapproved software?

A.Workstation change

B.Separation of duties

C.Discretionary access control

D.Job responsibility restrictions

10.What is the requirement to have access to, knowledge about, or possession of data or a resource to perform specific work tasks commonly known as?

A.Principle of least privilege

B.Prudent man theory

C.Need-to-know

D.Role-based access control

11.Which are activities that require special access to be performed within a secured IT environment?

A.Privileged operations functions

B.Logging and auditing

C.Maintenance responsibilities

D.User account management

416 Chapter 13 Administrative Management

12.Which of the following requires that archives of audit logs be kept for long periods of time?

A.Data remanence

B.Record retention

C.Data diddling

D.Data mining

13.What is the most important aspect of marking media?

A.Date labeling

B.Content description

C.Electronic labeling

D.Classification

14.Which operation is performed on media so it can be reused in a less-secure environment?

A.Erasing

B.Clearing

C.Purging

D.Overwriting

15.Sanitization can be unreliable due to which of the following?

A.No media can be fully swept clean of all data remnants.

B.Even fully incinerated media can offer extractable data.

C.The process can be performed improperly.

D.Stored data is physically etched into the media.

16.Which security tool is used to guide the security implementation of an organization?

A.Directive control

B.Preventive control

C.Detective control

D.Corrective control

17.Which security mechanism is used to verify whether the directive and preventative controls have been successful?

A.Directive control

B.Preventive control

C.Detective control

D.Corrective control

18.When possible, operations controls should be ________________ .

A.Simple

B.Administrative

C.Preventative

D.Transparent

19.What is the primary goal of change management?

A.Personnel safety

B.Allowing rollback of changes

C.Ensuring that changes do not reduce security

D.Auditing privilege access

20.What type of trusted recovery process requires the intervention of an administrator?

A.Restricted

B.Manual

C.Automated

D.Controlled

418 Chapter 13 Administrative Management

Answers to Review Questions

1.A. Personnel management is a form of administrative control. Administrative controls also include separation of duties and responsibilities, rotation of duties, least privilege, and so on.

2.B. E-mail is the most common distribution method for viruses.

3.C. As more software is installed, more vulnerabilities are added to the system, thus adding more avenues of attack for viruses.

4.B. In areas where technical controls cannot prevent virus infections, users should be trained on how to prevent them.

5.B. Laws and regulations must be obeyed and security concerns must be adjusted accordingly.

6.C. Although wasting resources is considered inappropriate activity, it is not actually a crime in most cases.

7.D. Everyone should be informed when records about their activities on a network are being recorded and retained.

8.C. Concentric circles of different solutions is the best form of antivirus protection.

9.A. Workstation change is an effective means of preventing and detecting the presence of unapproved software.

10.C. Need-to-know is the requirement to have access to, knowledge about, or possession of data or a resource to perform specific work tasks.

11.A. Privileged operations functions are activities that require special access to perform within a secured IT environment. They may include auditing, maintenance, and user account management.

12.B. To use record retention properly, archives of audit logs must be kept for long periods of time.

13.D. Classification is the most important aspect of marking media because it determines the precautions necessary to ensure the security of the hosted content.

14.C. Purging of media is erasing media so it can be reused in a less-secure environment. The purging process may need to be repeated numerous times depending on the classification of the data and the security of the environment.

15.C. Sanitization can be unreliable because the purging, degaussing, or other processes can be performed improperly.

16.A. A directive control is a security tool used to guide the security implementation of an organization.

17.C. A detective control is a security mechanism used to verify whether the directive and preventative controls have been successful.

18.D. When possible, operations controls should be invisible, or transparent, to users. This keeps users from feeling hampered by security and reduces their knowledge of the overall security scheme, thus further restricting the likelihood that users will violate system security deliberately.

19.C. The goal of change management is to ensure that any change does not lead to reduced or compromised security.

20.B. A manual recovery type of trusted recovery process requires the intervention of an administrator.