2 cissp ® Official Study Guide Eighth Edition

186
Chapter 5 
■
Protecting Security of Assets
Many legal documents refer to the collection limitation principle. While the wording 
varies in different laws, the core requirements are consistent. A primary requirement is 
that the collection of data should be limited to only what is needed. As an example, if an 
organization needs a user’s email address to sign up for an online site, the organization 
shouldn’t collect unrelated data such as a user’s birth date or phone number.
Additionally, data should be obtained by lawful and fair methods. When appropriate, 
data should be collected only with the knowledge and/or consent of the individual.
Using Security Baselines
Once an organization has identified and classified its assets, it will typically want to secure 
them. That’s where security baselines come in. Baselines provide a starting point and ensure 
a minimum security standard. One common baseline that organizations use is imaging. 
Chapter 16, “Managing Security Operations,” covers imaging in the context of configuration 
management in more depth. As an introduction, administrators configure a single system 
with desired settings, capture it as an image, and then deploy the image to other systems. 
This ensures that all the systems are deployed in a similar secure state, which helps to protect 
the privacy of data.
After deploying systems in a secure state, auditing processes periodically check the sys-
tems to ensure they remain in a secure state. As an example, Microsoft Group Policy can 
periodically check systems and reapply settings to match the baseline.
NIST SP 800-53 Revision 5 discusses 
security control baselines 
as a list of security 
controls. It stresses that a single set of security controls does not apply to all situations, 
but any organization can select a set of baseline security controls and tailor it to its needs. 
Appendix D of SP 800-53 includes a comprehensive list of controls and has prioritized them 
as low-impact, moderate-impact, and high-impact. These refer to the worst-case potential 
impact if a system is compromised and a data breach occurs.
As an example, imagine a system is compromised. What is the impact of this compro-
mise on the confidentiality, integrity, or availability of the system and any data it holds? 
■
If the impact is low, you would consider adding the security controls identified as low-
impact controls in your baseline.
■
If the impact of this compromise is moderate, you would consider adding the security 
controls identified as moderate-impact, in addition to the low-impact controls.
■
If the impact is high, you would consider adding all the controls listed as high-impact 
in addition to the low-impact and moderate-impact controls.
It’s worth noting that many of the items labeled as low-impact are basic security prac-
tices. For example, access control policies and procedures (in the AC family) ensure that 
users have unique identifications (such as usernames) and can prove their identity with 
secure authentication procedures. Administrators grant users access to resources based on 
their proven identity (using authorization processes).
Similarly, implementing basic security principles such as the principle of least privi-
lege shouldn’t be a surprise to anyone studying for the CISSP exam. Of course, just 

Summary 
187
because these are basic security practices, it doesn’t mean organizations implement them. 
Unfortunately, many organizations have yet to discover, or enforce, the basics.

Download 19,3 Mb.

Do'stlaringiz bilan baham: