Page 1125 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1125
Applying Security Operations Concepts
The primary purpose for security operations practices is to safeguard
assets including information, systems, devices, and facilities. These
practices help identify threats and vulnerabilities, and implement
controls to reduce the overall risk to organizational assets.
In the context of information technology (IT) security, due care and
due diligence refers to taking reasonable care to protect the assets of
an organization on an ongoing basis. Senior management has a direct
responsibility to exercise due care and due diligence. Implementing
the common security operations concepts covered in the following
sections, along with performing periodic security audits and reviews,
demonstrates a level of due care and due diligence that will reduce
senior management’s liability when a loss occurs.
Need-to-Know and Least Privilege
Need-to-know and the principle of least privilege are two standard
principles followed in any secure IT environment. They help provide
protection for valuable assets by limiting access to these assets.
Though they are related and many people use the terms
interchangeably, there is a distinctive difference between the two.
Need-to-know focuses on permissions and the ability to access
information, whereas least privilege focuses on privileges.
Chapter 14, “Controlling and Monitoring Access,” compared
permissions, rights, and privileges. As a reminder, permissions allow
access to objects such as files. Rights refer to the ability to take actions.
Access rights are synonymous with permissions, but rights can also
refer to the ability to take action on a system, such as the right to
change the system time. Privileges are the combination of both rights
and permissions.
Need-to-Know Access
The need-to-know principle imposes the requirement to grant users
access only to data or resources they need to perform assigned work
