Fatskills
Practice. Master. Repeat.
Study Guide: SSCP: 12. Security Administration and Planning
Source: https://www.fatskills.com/systems-security-certified-practitioner-sscp/chapter/sscp-12-security-administration-and-planning

SSCP: 12. Security Administration and Planning

By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.

⏱️ ~3 min read

A security policy is a written document, authoritative in nature, that provides a high-level view of the security goals for an organization. External standards may influence the security policy, but the organization decides what standards to follow. Personnel develop procedures based on the guidance from the security policy.
Senior-level management should create, or at least endorse, the organization’s security policy. Once the security policy is created, personnel within the organization implement and enforce it. Users must be made aware of the contents of the security policy through training, warning banners, posters, and other awareness methods, and they should be asked to read and sign an acceptable use policy. It’s common to review a security policy periodically, such as once a year or after a security incident.
Business continuity plans (BCPs) include processes and procedures to prevent the loss of mission-critical services. A BCP starts with a business impact analysis (BIA) and includes one or more disaster recovery plans (DRPs). It’s important to recognize that a BCP is not the same as a DRP, but a DRP is often a component of a BCP.
The BIA identifies the maximum acceptable outage (MAO) time (also called maximum tolerable downtime, or MTD) for critical services and systems. If an outage for one of the critical services or systems exceeds this time, it impacts critical business functions. The MAO drives the recovery time objective (RTO), or the maximum amount of time that the organization can take to restore a critical service or system. The recovery point objective (RPO) refers to the point in time to which a database needs to be recovered if the system fails.
A DRP provides the steps required to restore a system after an outage. Organizations test both BCPs and DRPs using various testing methods. Tabletop exercises allow personnel to talk through the steps of a given scenario. Functional exercises simulate an event and allow personnel to walk through the steps of a given scenario.
Some BCPs require the use of alternative locations. A hot site includes all the hardware, software, and up-to-date data required to take over operations at a moment’s notice. A cold site includes a roof, water, and electricity, but little else. A warm site is a compromise between a hot site and a cold site. Some organizations use a mobile site instead of a fixed location, which allows the organization to move its operations to another location during an emergency.
NIST includes a Computer Security Division and an Information Technology Laboratory. The ITL has published over 100 Special Publications in the SP 800 series on a wide range of IT security topics. All of these special publications are available for free download here: https://csrc.nist.gov/publications/sp800. Other organizations that provide security-related materials include US-CERT and the SANS Institute.



ADVERTISEMENT