Chapter 3 – Administration

Publisher Summary This chapter deals with Systems Security Certified Practitioner (SSCP) exam administration. The administration area encompasses the security principles, policies, standards, and guidelines used to identify, classify, and ensure the confidentiality, integrity, and availability of an organization's information assets. The administration also includes roles and responsibilities, configuration management, change control, security awareness, and the application of accepted industry practices. The topics covered in this chapter are some of the most common topics within the computer security industry that form the basis for what security professionals do all around the world. Access control, information classification, risk assessment and mitigation, and the change management process are all pieces of the puzzle that are put together in this chapter. In many respects, these topics form the basis for the rest of the SSCP common body of knowledge. This chapter provides information on the risk assessment process and how to develop quality recommendations for risk mitigation that take the organizational constraints; the concepts of confidentiality, integrity, and availability; and other considerations into account. In addition, the chapter introduces some forms of malicious code that have wreaked havoc on organizations connected to the Internet for at least the last 10 years.