Domain 2 is covered in this Chapter:

The administration area encompasses the security principles, policies, standards, procedures and guidelines used to identify, classify and ensure the confidentiality, integrity and availability of an organization's information assets. It also includes roles and responsibilities, configuration management, change control, security awareness, and the application of accepted industry practices.

Introduction

Welcome to the world of security administration. The topics covered in this chapter are some of the most common topics within the computer security industry. They form the basis for what security professionals do all around the world. Access control, information classification, risk assessment and mitigation, and the change management process are all pieces of the puzzle that are put together in this chapter. In many respects, these topics form the basis for the rest of the SSCP Common Body of Knowledge (CBK).

Ideally, all of these areas are addressed in a comprehensive security policy. Security analysts understand that security policies set the stage for the entire security program at any organization. But in order for the policies or the practices to be enforceable and adhered to, the upper management of the organization must understand and agree with the policies. Some of the information in this chapter shows how these topical areas impact the security of an organization. They revolve around defining the critical information assets within an organization, identifying the threats and risks to those assets, and coming up with solutions to eliminate or mitigate those threats. The key to management "buy-in" on these...