All organizations have some type of security requirements to protect their assets (e.g., information, facilities, personnel). In establishing these security operations, organizations must first identify the resources that need to be protected and then select the appropriate measures to eliminate the exploitation and destruction strategies of these resources. These measures, or controls, define the who, what, when, where, how, and why of access to organizational assets.

Both processes and procedures for auditing and monitoring these resources must be defined and mechanisms for identifying, reacting to, and documenting security events must be established. Whether it be an active, network-based strategy for enforcing policy and access control, as with an intrusion prevention system (IPS), or a passive one, such as an intrusion detection system (IDS), ensuring that access control monitoring and management mechanisms are in place is critical to an effective security operations plan.

And while planning to thwart attempts to attack organizational assets and identifying vulnerabilities may put organizations in a good security posture, they should never assume they are completely protected from attacks. To that end, organizations should prepare for disruptions that could affect their normal business operations and document procedures to be followed if any such scenarios should become a reality.

By creating both a business continuity plan (BCP) and a disaster recovery plan (DRP), organizations will be ready to resume operations if they experience major disasters or system outages. Both BCP and DRP involve the creation, testing, and revision of actions necessary if any of these events should occur. While the BCP identifies exposure to internal and external threats and protects against interruptions to critical business processes by defining the procedures to facilitate the recovery of business operations with minimal loss, the DRP outlines the procedures for emergency response, extended backup operation and postdisaster recovery, enabling the organization to handle applications while steps are completed to bring the systems back to normal operations as quickly as possible.

If organizations do experience an attack, investigative measures and techniques should be enlisted to determine if a crime has been committed or if someone has unlawfully accessed resources. The investigative process (i.e., identification, preservation, collection, examination, analysis, presentation, decision) must be followed in conjunction with the evidence life cycle (e.g., collect, analyze, present, return) and the rules of evidence. And if these security-related incidents do occur, ensuring that services to respond reactively and a prescribed incident management approach are in place will enable organizations to quickly recover.

Click on each of the following links for topics related to the Certified Information Systems Security Personnel (CISSP) Common Body of Knowledge to help you better understand the subject area.