CISSP: Domain 7, Module 4
The course is part of this learning path
This course is the final module of Domain 7 of the CISSP, covering Security Operations.
The objectives of this course are to provide you with the ability to:
- Participate in business continuity planning
- Implement and manage physical security
- Participate in personnel safety
This course is designed for those looking to take the most in-demand information security professional certification currently available, the CISSP.
Any experience relating to information security would be advantageous, but not essential. All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field.
If you have thoughts or suggestions for this course, please contact Cloud Academy at firstname.lastname@example.org.
One thing that has been included in recent issues of the CISSP domain has been the CISSP's participation in personnel safety. Typically, something that physical security professionals are mostly involved with. There is an element that requires a CISSP type of professional's knowledge and skill to contribute. So when corporate travel is necessary, or personal travel for that matter, the various topics need to be considered. We need to think about encryption, whether or not it's necessary and if it is, can it be avoided by not bringing into existence circumstances where it would be? Or if we can't do that, what form of encryption do we need? If we're going to take some technology with us, or use that in our destination, how can we do that securely? If we're going into foreign countries, what about the additional jurisdictional concerns that may arise? There may be needs for personal protection of various forms. And then we have to be able to be situationally aware to do condition monitoring. All of these require the professional guidance of our travel or internal security department to ensure that our travel is not only compliant, but first and foremost, that it's safe.
One of the frequent ways of training and awareness is to go through various forms of scenarios. This is a type that takes us through a risk analysis where assets, persons, access and alternatives are mapped out in different stories showing how things can go wrong so that you can discuss what to do about them. The more scenarios reviewed, the more knowledgeable the participants, the better the results of the exercise which means ultimately, that person will be safer in their travels.
Specific topics in the area of security training and awareness will include location-specific orientation for the travelers. Going through the training, the professional leading the training will discuss the emergency procedures that should be followed. There needs to be a process by which any sort of incident can be reported properly and to whom. What needs to be looked at is the users' role in incident detection and response which again, emphasizes situational awareness and how to recognize attack attempts directly targeting individuals so that being forewarned is forearmed and perhaps incident avoidance can then be done.
Without question, emergency management needs to be addressed during these training sessions. Elements of this program will include things like fire detection and suppression systems, again, emphasizing situational awareness. Depending upon the type of facility, evacuation practice can be a very useful exercise. There needs to be some form of coordination with external entities and the identification of who those entities are. Depending upon what kind of travel and into what area, localized threats may be specific to a particular area, Europe, Scandinavia, Australia, Russia, Africa, wherever it might be, there are certain things that are particular to the given area and these need to be discussed in detail to ensure that the traveler is properly informed. If assets are going to be taken, such as physical assets, tablets, computers, cell phones, or information, asset protection needs to be put into its proper place. Human life safety is going to be the most important thing in any of this training. But asset protection needs to be discussed so that there's no confusion about where it falls in the priorities. Relocation strategies may also need to be discussed depending upon what kind of travel and where it's going to be.
Duress is what will be spoken of when it comes to the effect that this travel could have if everything goes poorly on the person doing the traveling. Personnel should have the means to report to the organization if they're ever put under duress. This is especially true for travelers such as senior management or high net worth individuals, critical personnel and others who may be subject to crimes that target those roles. There can be duress, which might be treated as a subtle or covert way. There may actually need to be some form of training and practice in this area for individuals who are going to be experiencing a heightened potential for this to occur, and schedules and behaviors need to be spoken of so that people can understand how attackers use scheduled travel, and the routines that people follow when they travel, to take advantage of that to put the person under duress.
One of the places where a CISSP can make a real contribution is to speak on the subject of taking electronic technology with you. The first advice is, is if you can travel without the device, it's best not to take it. That means there's one less article to be stolen or lost. If you're taking information assets with you, take only what you need at the very lowest level, or if you don't have to take it because where you're going you'll have a way of accessing it through a remote secure connection, then it's best not to take it with you. Again, leaving behind something that might otherwise be lost or stolen while you're traveling. This is especially true the more sensitive the information is. If you do have to take it, make sure all the information is backed up before you leave and leave the backup copy in a place where someone at your organization knows where it is in case they must access it. And then if feasible, use a different mobile device from your usual one and remove the battery when not in use. Use it whenever you need to and if you don't want to be tracked because you suspect that that may be something that attackers are doing, remove the battery, put it back in when you communicate and then take it out again. All of these things need to be coordinated with your travel department to be sure that there are no gaps or blank spots anywhere in the program so that everyone knows who's going, where they're going, and how they can reach them.
So we come to the end of domain seven, security operations. As you've seen, we've discussed a very wide variety of topics, including everything from personnel safety to how we run investigations. In covering this particular domain, be sure to study each one, each area, each subject, so that you have a general familiarity with each one. That concludes our discussion of Domain 7. Thank you for joining us, Please return as we start our discussion on our final domain, Domain 8 - Application Security. Thank you.
About the Author
Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years. He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant. His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International. A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center. From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.
Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004. During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide. He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004. Mr. leo is an ISC2 Certified Instructor.