The certified information systems security professional (CISSP) certification is a prestigious qualification for professionals working in the field of cybersecurity. The certification requires an exhaustive preparation in eight domains, ranging from security and risk management, asset security, security engineering, communication and network security, identity and access management, security and assessment testing, and security operations to software development security. These eight domains thoroughly cover a variety of subjects related to cybersecurity. They provide the indispensable managerial knowledge base to train well-rounded information security professionals.
The complexity of security challenges incessantly evolves in cyberspace. Security measures therefore have to accommodate such a dynamic landscape. In some demanding security environments, most notably, security operations centers (SOC), personnel should be highly cautious of the dynamics of network threats. They should be wary of static security solutions and obsolete practices to manage and evaluate security threats. The CISSP thus provides an authoritative framework for the necessary competences required in managerial duties of SOCs. The candidates of the CISSP are trained to be proficient in the foundational security operations concepts and their applications. This capacity can be considered as a preliminary preparation for further technical training.
Foundational Security Operations Concepts OverviewIn many highly digitalized and networked economies, SOCs represent the heart and the veins of large organizations―in particular, the financial institutions and government departments that manage huge volumes of network traffic and valuable digital assets. SOCs are the top administration structures that define, supervise, and coordinate information and communication technologies for their affiliated organizations. They adopt an advance security information and event management system (SIEM) to scrutinize anomalies of systems and networks to ensure effective and well-functioning operations for their organizations as well as respond to the adversaries. Examples of SOCs include a security defense center (SDC) and a network security operations center (NSOC) that are often found in the intelligence and military service of governments. Since the missions and duties of SOCs can be sensitive and decisive in the daily functioning of an organization, the management of SOC thus requires a set of rigorous fundamental concepts in security operations. These conditions can be grouped into six categories: the principle of need-to-know (NTK) and least privilege (POLP), the separation of duties and responsibilities, the monitoring of special privileges, the rotation of job duties, the lifecycle of information, and the service-level agreements.
The monetary and human resources required for setting up a SOC can be tremendous. Moreover, the high requirements and capabilities of running a SOC might pose a management challenge for organizations. These two considerations may lead to organizations outsourcing their SOCs to external parties. Indeed, entrusting the sophisticated cyber-management to seasoned professionals can be an ideal approach to optimize the investment against cyber-threats. Nevertheless, ceding the control and protection of critical information systems and operations, such as accounting, legal, and payroll, to a third party is an important decision. For building or subcontracting the SOC of a large organization, personnel (CISSP professionals) who understand and are capable of implementing the management methodology of the six aspects of fundamental security operations concepts are imperative.
Principle of Least Privilege (POLP) and Need-to-Know (NTK)To begin, the concepts of POLP and NTK are complementary to each other, like the two sides of the same coin. On the one hand, the POLP refers to limiting the workstation, operation system, and applications to the minimal functioning level that the operating personnel need to perform their duties. A ubiquitous example can be the different accounts of an operation system: administrator, employee, guest and visitor, to name a few. Most of the time, the non-administrator accounts are not permitted to install, configure, and modify applications that are unknown and can eventually pose a threat to the existing operation environment. This measure can help prevent low-level personnel from mistakenly or maliciously installing or activating remote access tools (RAT) and various types of malware. On the other hand, the NTK describes the same limitations on the personnel level that can be understood as the confidentiality of data. It signifies the least data and information that the operator needs to know carry out his duties. POLP and NTK always work hand in hand. One example is the manipulation of a particular information management system. The non-administrator personnel do not need to know the information about how to install and set up their workstation. They simply need the minimal knowledge of how to use the system that is configured with the POLP idea. This is a typical scenario of one of the key security operations concepts.
Monitoring Special PrivilegesThe notions of POLP and NTK are sometimes subject to change on occasions when the relevant personnel have to be granted more system privileges and data access in order to perform their duties fully. Such occasions can occur, for example, when a higher-level system administrator or manager is absent for a significant period of time. Consequently, current lower-level personnel might have to stand in for the relevant role. The temporary ease or increase in system privileges is called privilege bracketing. The duration and appropriate accesses are strictly defined and restricted to the least necessary ones.
In addition, despite the fact that the POLP and NTK notions are supposed to apply to all personnel, there are inevitably some with higher, unrestricted, and more special privileges that might arouse concerns of possible authority abuse. Organizations should not neglect the need to monitor those personnel who have exclusive access to and authority over the entire database and network systems. Registering system logs and regular third-party system/site audits are efficient preventive monitoring measures. In case of abusive activities, such system records can serve forensic purposes for legal pursuits.
Separation of Duties and ResponsibilitiesBesides relying on third-party monitoring systems and adopting the notions of PLOP and NTK, organizations can also strengthen their defense level with internal mechanisms to separate the duties of personnel holding key functions and responsibilities. The core idea is to break down the decision-making process into a multi-stakeholder model to ensure that no single person can execute a decision alone. Each step of the process should be assigned to a different person so as to establish checks and balances within the decision-making process. In summary, the separation of duties and responsibilities should involve multiple personnel in different stage of a decision process. In general, the making, execution, monitoring, and evaluation of a decision should therefore be assigned to four different personnel. In this way, it cannot be the same personnel monopolizing the entire decision implementation cycle, and thus it minimizes the conflict of interests.
Nonetheless, it should be noted that the separation of duties and responsibilities is one of the underlying principles that facilitates the management of a SOC. It does not necessarily reduce the chance of misconduct to zero. Instead, it signifies that corrupting the whole chain of trust will be compulsory. Organizations should regularly check and study the duties of the personnel to verify that there is no conflict of interests.
Job RotationIn fact, the fundamental security concepts of a robust security management environment emphasize compartmentalizing privileges, duties, accesses, and responsibilities. It is obvious that large organizations have become increasingly digitalized and that the personnel administering the databases and networks can accumulate power as well as identifying vulnerabilities in the decision-making process over time. Besides constant evaluation of the work flow and system logs to ensure no privilege exploits, a further step is job rotation. The accumulation of power in key positions not only affects decision implementation processes, it can also deal considerable damage to the institution in the case of revenge resignation of these key personnel. They might leave their position with all the credentials and savoir-faire under short notice. This creates a professional vacuum that can paralyze the work routine of the organization. Job rotation addresses that problem and it can generate additional advantages. It further prevents the monopoly of duties and encourages professional mobility for other personnel within the organization.
Information Lifecycle ManagementThe aforementioned concepts focus on managing the human aspect, in other words, the “soft” side of cybersecurity. The personnel are employed to safeguard the digital assets and networks. Taking a step backward, if the digital assets and sensitive information are ambiguous and they lack management, it is unlikely that the organization can effectuate appropriate management practices. Thus, the strategies for managing the duties of personnel can be further perfected through a rigorous assessment regarding the data and information that the organization is protecting. Identifying information assets in the organization is always the first phase of managing information. The identification process will pave the way to the evaluation of various digital assets. The organization and its security professionals can then design defense mechanisms, internal workflow (POLP, NTK and separation of duties), countermeasures, business continuity and response plans based on the values of the identified digital assets. There are two major guidelines assisting the development of information lifecycle management. First, organizations should be able to assign an appropriate timeframe to define data/information categories. Digital assets should be categorized as short-term, mid-term, long-term, and permanent. Second, a reasonable estimate of monetary value suggested in the digital assets should be accorded with pertinent protection investment. It will not make sense to allocate $20 of a security budget to secure a digital asset worth $1. Neither would it be sensible to store obsolete data permanently.
Service-Level Agreements (SLAs)Information security management involves a complex supply chain. Both internal personnel and external service providers are bound together to create competent solutions for security operations purposes. In this context, the external service provider has to provide a well-structured SLA stating clearly the different services, resources, liabilities, performance, and other crucial conditions related to the implementation of the specific service. The SLA is a good contract and practice for third-party service providers to align the objectives with the purchasing organization. It is also the occasion for both parties to discuss the detailed terms for overseeing the operations scenarios. Various ideas about the management of privileges and information lifecycle are all indispensable topics in drafting the SLA. In a way, the SLA can be seen as a checklist even for the internal personnel to see if all the privileges and authorities issues are settled.
ConclusionGoing through the fundamental security concepts and suggestions of their applications facilitates the understanding of deploying effective security policies for organizations. As one of the eight domains of the CISSP certification, these concepts lay the foundation for the implementation of elementary security practices. The need to manage significant data and information flow as well as their security has expanded progressively in the last decade. Having a seasoned team of cybersecurity professional to oversee security threats is no longer reserved for government institutions. Companies and other organizations having high-valued digital assets should not hesitate to consult professional advice when it comes to managing their SOCs.