Page 1172 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1172

Summary


               Several basic security principles are at the core of security operations
               in any environment. These include need-to-know, least privilege,
               separation of duties and responsibilities, job rotation, and mandatory

               vacations. Combined, these practices help prevent security incidents
               from occurring, and limit the scope of incidents that do occur.
               Administrators and operators require special privileges to perform
               their jobs following these security principles. In addition to
               implementing the principles, it’s important to monitor privileged

               activities to ensure that privileged entities do not abuse their access.
               With resource protection, media and other assets that contain data are

               protected throughout their lifecycle. Media includes anything that can
               hold data, such as tapes, internal drives, portable drives (USB,
               FireWire, and eSATA), CDs and DVDs, mobile devices, memory cards,
               and printouts. Media holding sensitive information should be marked,
               handled, stored, and destroyed using methods that are acceptable

               within the organization. Asset management extends beyond media to
               any asset considered valuable to an organization—physical assets such
               as computers and software assets such as purchased applications and
               software keys.

               Virtual assets include virtual machines, virtual desktop infrastructure
               (VDI), software-defined networks (SDNs), and virtual storage area
               networks (VSANs). A hypervisor is the software component that

               manages the virtual components. The hypervisor adds an additional
               attack surface, so it’s important to ensure that it is deployed in a
               secure state and kept up-to-date with patches. Additionally, each
               virtual component needs to be updated separately.

               Cloud-based assets include any resources stored in the cloud. When
               negotiating with cloud service providers, you must understand who is
               responsible for maintenance and security. In general, the cloud service

               provider has the most responsibility with software as a service (SaaS)
               resources, less responsibility with platform as a service (PaaS)
               offerings, and the least responsibility with infrastructure as a service
               (IaaS) offerings. Many organizations use service-level agreements
   1167   1168   1169   1170   1171   1172   1173   1174   1175   1176   1177