The objective of this chapter is to provide the reader with an understanding of the following:

Domain 5.0: Operational/Organizational Security – 15%

5.1 Understand the application of the following concepts of physical security:

• Access Control (Physical Barriers; Biometrics); Social Engineering
  
  
• Environment (Wireless Cells; Location; Shielding; Fire Suppression)

5.2 Understand the security implications of the following topics of disaster recovery:

• Backups (Off Site Storage)
  
  
• Secure Recovery (Alternate Sites); Disaster Recovery Plan

5.3 Understand the security implications of the following topics of business continuity:

• Utilities; High Availability / Fault Tolerance; Backups

5.4 Understand the concepts and uses of these types of policies and procedures:

• Security Policy:
  • Acceptable Use; Due Care; Privacy; Separation of Duties
    
    
  • Need to Know; Password Management; SLAs (Service Level Agreements)
    
    
  • Disposal / Destruction
    
    
  • HR (Human Resources) Policy: Termination, Hiring, Code of Ethics
  
  
  
• Incident Response Policy

5.5 Explain the following concepts of privilege management:

• User / Group / Role Management;
  
  
• Single Sign-on; Centralized vs. Decentralized
  
  
• Auditing (Privilege, Usage, Escalation)
  
  
• MAC / DAC / RBAC

5.6 Understand the concepts of the following topics of forensics:

• Chain of Custody; Preservation of Evidence; Collection of Evidence

5.7 Understand and be able to explain the following concepts of risk identification:

• Asset Identification; Risk Assessment; Threat Identification; Vulnerabilities

5.8 Understand the security relevance of the education and training of end users, executives and human resources

• Communication; User Awareness; Education; On-line Resources

5.9 Understand and explain the following documentation concepts:

• Standards and Guidelines; Systems Architecture; Change Documentation
  
  
• Logs and Inventories; Classification (Notification)
  
  
• Retention / Storage; Destruction

Quick navigation to subsections and regular topics in this section

• Getting Ready for Chapter 5 - Questions
• Getting Ready for Chapter 5 - Answers
• 5.0  Operational/Organizational Security
• 5.1  Physical Security
• 5.2  Disaster Recovery
• 5.3  Business Continuity
• 5.4  Policy and Procedures
• Pop Quiz 5.1 (Parts: 1 2 )
• 5.5  Privilege Management
• 5.6  Computer Forensics (Parts: 1 2 )
• 5.7  Risk Identification
• 5.8  Education
• 5.9  Documentation
• 5.10  Summary (Parts: 1 2 3 4 5 )
• 5.11  Success Questions
• 5.12  Success Answers