Page 350 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 350

listed as high-impact in addition to the low-impact and moderate-
                    impact controls.

               It’s worth noting that many of the items labeled as low-impact are

               basic security practices. For example, access control policies and
               procedures (in the AC family) ensure that users have unique
               identifications (such as usernames) and can prove their identity with
               secure authentication procedures. Administrators grant users access
               to resources based on their proven identity (using authorization

               processes).
               Similarly, implementing basic security principles such as the principle

               of least privilege shouldn’t be a surprise to anyone studying for the
               CISSP exam. Of course, just because these are basic security practices,
               it doesn’t mean organizations implement them. Unfortunately, many
               organizations have yet to discover, or enforce, the basics.


               Scoping and Tailoring


               Scoping refers to reviewing a list of baseline security controls and
               selecting only those controls that apply to the IT system you’re trying
               to protect. For example, if a system doesn’t allow any two people to log
               on to it at the same time, there’s no need to apply a concurrent session
               control.

               Tailoring refers to modifying the list of security controls within a
               baseline so that they align with the mission of the organization. For

               example, an organization might decide that a set of baseline controls
               applies perfectly to computers in their main location, but some
               controls aren’t appropriate or feasible in a remote office location. In
               this situation, the organization can select compensating security
               controls to tailor the baseline to the remote location.



               Selecting Standards

               When selecting security controls within a baseline, or otherwise,
               organizations need to ensure that the controls comply with certain
               external security standards. External elements typically define
               compulsory requirements for an organization. As an example, the

               Payment Card Industry Data Security Standard (PCI DSS) defines
   345   346   347   348   349   350   351   352   353   354   355