CISSP For Dummies

Several common information security management practices are introduced here and described in greater detail in other chapters (conveniently cross-referenced, of course!).

Outsourcing

Many IT functions (particularly call center support and application development) are commonly outsourced today. Information security policies and procedures must address outsourcing security and the use of vendors or consultants, when appropriate. Access control, maintenance hooks, and service level agreements are good examples of outsourcing security considerations.

Internal Service Level Agreements (SLAs)

Service Level Agreements (SLAs) establish minimum performance standards for a system, application, network, or service. An organization establishes internal SLAs to provide its end-users with a realistic expectation of its information systems and services. For example, a help desk SLA might prioritize incidents as 1, 2, 3, or 4, and establish SLA response times of 10 minutes, 1 hour, 4 hours, and 24 hours, respectively.

 Cross-Reference   See chapter 7 for more on Service Level Agreements.

Identity management

Identity management is accomplished through account provisioning and deprovisioning (creating and disabling user accounts), access control, and directory services. Its purpose is to identify a subject or object (see “Uncovering Concepts of Access Control” in Chapter 4) within an application, system, or network.

A Public Key Infrastructure (PKI) is an example of the part of an identity management system that is associated with digital certificates to facilitate authentication, non-repudiation, and access control.

 Cross-Reference   See Chapter 4 for more on identity management.

Certification and accreditation

Certification is the formal evaluation of a system that involves comprehensive testing and documentation of the system and its information security safeguards.

Accreditation is management’s official written acceptance and approval of a specific system certification in a specific operating environment.

 Cross-Reference   See Chapters 7 and 9 for more on certification and accreditation.