# Security Operations & Administration

As an SSCP, you'll have to help people and organizations identify their information security needs, build the systems to secure their information, and keep that information secure.
## Comply with Codes of Ethics

Privacy is freedom from intrusion, and security is the protection of something or someone from loss, harm, or injury, now or in the future. 

Whether it's the business of business, the functions of government, or the actions and choices of individuals in our society, we can see that information is what makes everything work. Information provides the context for our decisions; it’s the data about price and terms that we negotiate about as buyers or sellers, and it’s the weather forecast that’s part of our choice to have a picnic today at the beach. Three characteristics of information are key to our ability to make decisions about anything:

* If it is publicly known, we must have confidence that everybody knows it or can know it; if it is private to us or those we are working with, we need to trust that it stays private or confidential.

* The information we need must be reliable. It must be accurate enough to meet our needs and come to us in ways we can trust. It must have integrity.

* The information must be there when we need it. It must be available.

Those three attributes or characteristics - the confidentiality, integrity, and availability of the information itself - reflect the needs we all have to be reasonably sure that we are making well-informed decisions, when we have to make them, and that our competitors (or our enemies!) cannot take undue or unfair advantage over us in the process. Information security practitioners refer to this as the CIA of information security. Every information user needs some CIA; for some purposes, you need a lot of it; for others, you can get by with more uncertainty (or "less CIA").

(ISC)2 provides us a Code of Ethics, and to be an SSCP you agree to abide by it. It is short and simple. It starts with a preamble, which we quote in its entirety:

> The safety and welfare of society and the common good, duty to our principals, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.

> Therefore, strict adherence to this Code is a condition of certification.

Let’s operationalize that preamble—take it apart, step by step, and see what it really asks of us:

1. Safety and welfare of society: Allowing information systems to come to harm because of the failure of their security systems or controls can lead to damage to property, or injury or death of people who were depending on those systems operating correctly.
2. The common good: All of us benefit when our critical infrastructures, providing common services that we all depend on, work correctly and reliably.
3. Duty to our principals: Our duties to those we regard as leaders, rulers, or our supervisors in any capacity.
4. Our duty to each other: To our fellow SSCPs, others in our profession, and to others in our neighborhood and society at large.
5. Adhere and be seen to adhere to: Behave correctly and set the example for others to follow. Be visible in performing our job ethically (in adherence with this Code) so that others can have confidence in us as a professional and learn from our example.

The code is equally short, containing four canons or principles to abide by:

> Protect society, the common good, necessary public trust and confidence, and 
the infrastructure.

> Act honorably, honestly, justly, responsibly, and legally.

> Provide diligent and competent service to principals.

> Advance and protect the profession.

The canons do more than just restate the preamble's two points. They show us how to adhere to the preamble. We must take action to protect what we value; that action should be done with honor, honesty, and justice as our guide. Due care and due diligence are what we owe to those we work for (including the customers of the businesses that employ us).

The final canon addresses our continued responsibility to grow as a professional. We are on a never-ending journey of learning and discovery; each day brings an opportunity to make the profession of information security stronger and more effective. We as SSCPs are members of a worldwide community of practice - the informal grouping of people concerned with the safety, security, and reliability of information systems and the information infrastructures of our modern world.

### Privacy

**Privacy**, which refers to a person (or a business), is the freedom from intrusion by others into one's own life, place of residence or work, or relationships with others. Privacy means that you have the freedom to choose who can come into these aspects of your life and what they can know about you. Privacy is an element of common law, or the body of unwritten legal principles that are just as enforceable by the courts as the written laws are in many countries. It starts with the privacy rights and needs of one person and grows to treat families, other organizations, and other relationships (personal, professional, or social) as being free from unwarranted intrusion.

Businesses create and use company confidential or proprietary information almost every day. Both terms declare that the business owns this information; the company has paid the costs to develop this information (such as the salaries of the people who thought up these ideas or wrote them down in useful form for the company), which represents part of the business’s competitive advantage over its competitors. Both terms reflect the legitimate business need to keep some data and ideas private to the business.

Part of the concept of privacy is connected to the reasonable expectation that other people can see and hear what you are doing, where you are (or where you are going), and who might be with you. It’s easy to see this in examples; walking along a sidewalk, you have every reason to think that other people can see you, whether they are out on the sidewalk as well or looking out the windows of their homes and offices, or from passing vehicles. The converse is that when out on that public sidewalk, out in the open spaces of the town or city, you have no reason to believe that you are not visible to others. This helps us differentiate between public places and private places: 

* Public places are areas or spaces in which anyone and everyone can see, hear, or notice the presence of other people, and observe what they are doing, intentionally or unintentionally. There is little to no degree of control as to who can be in a public place. A city park is a public place.

*　Private places are areas or spaces in which, by contrast, you as owner (or the person responsible for that space) have every reason to believe that you can control who can enter, participate in activities with you (or just be a bystander), observe what you are doing, or hear what you are saying. You choose to share what you do in a private space with the people you choose to allow into that space with you. By law, this is your reasonable expectation of privacy, because it is “your” space, and the people you allow to share that space with you share in that reasonable expectation of privacy.

The pervasive use of the Internet and the World Wide Web, and the convergence of personal information technologies, communications and entertainment, and computing, have blurred these lines. Your smart watch or personal fitness tracker uplinks your location and exercise information to a website, and you’ve set the parameters of that tracker and your Web account to share with other users, even ones you don’t know personally. Are you doing your workouts today in a public or private place? Is the data your smart watch collects and uploads public or private data?

"Facebook-friendly" is a phrase we increasingly see in corporate policies and codes of conduct these days. The surfing of one’s social media posts, and even one’s browsing histories, has become a standard and important element of prescreening procedures for job placement, admission to schools or training programs, or acceptance into government or military service. Such private postings on the public Web are also becoming routine elements in employment termination actions. The boundary between “public” and “private” keeps moving, and it moves because of the ways we think about the information, and not because of the information technologies themselves.

The General Data Protection Regulation 2016/679 (GDPR) and other data protection regulations require business leaders, directors, and owners to make clear to customers and employees what data they collect and what they do with it, which in turn implements the separation of that data into public and private data. As an SSCP, you probably won’t make specific determinations as to whether certain kinds of data are public or private, but you should be familiar with your organization’s privacy policies and its procedures for carrying out its data protection responsibilities. Many of the information security measures you will help implement, operate, and maintain are vital to keeping the dividing line between public and private data clear and bright.

### Confidentiality

Often thought of as "keeping secrets", confidentiality is actually about sharing secrets. Confidentiality is both a legal and ethical concept about **privileged communications** or **privileged information**. Privileged information is information you have, own, or create, and that you share with someone else with the agreement that they cannot share that knowledge with anyone else without your consent, or without due process in law. You place your trust and confidence in that other person's adherence to that agreement. Relationships between professionals and their clients, such as the doctor-patient or attorney-client ones, are prime examples of this privilege in action. Except in very rare cases, courts cannot compel parties in a privileged relationship to violate that privilege and disclose what was shared in confidence.

Confidentiality refers to how much we can trust that the information we’re about to use to make a decision has not been seen by unauthorized people. The term unauthorized people generally includes anybody or any group of people who could learn something from our confidential information, and then use that new knowledge in ways that would thwart our plans to attain our objectives or cause us other harm.

Confidentiality needs dictate who can read specific information or files, or who can download or copy them. This is very different from who can modify, create, or delete those files.

One way to think about this is that integrity violations change what we think we know; confidentiality violations tell others what we think is our private knowledge.

### Integrity

Integrity, in the most common sense of the word, means that something is whole and complete, and that its parts are smoothly joined together. People with high personal integrity are ones whose actions and words consistently demonstrate the same set of ethical principles. You know that you can count on them and trust them to act both in ways they have told you they would and in ways consistent with what they’ve done before.

Integrity for information systems has much the same meaning. Can we rely on the information we have and trust in what it is telling us?

This attribute reflects two important decision-making needs:

* First, is the information accurate? Have we gathered the right data, processed it in the right ways, and dealt with errors, wild points, or odd elements of the data correctly so that we can count on it as inputs to our processes? We also have to have trust and confidence in those processes—do we know that our business logic that combined experience and data to produce wisdom actually works correctly?
* Next, has the information been tampered with, or have any of the intermediate steps in processing from raw data to finished “decision support data” been tampered with? This highlights our need to trust not only how we get data, and how we process it, but also how we communicate that data, store it, and how we authorize and control changes to the data and the business logic and software systems that process that data.

Integrity applies to three major elements of any information-centric set of processes: to the people who run and use them, to the data that the people need to use, and to the systems or tools that store, retrieve, manipulate, and share that data. We’ll look at all of these concepts in greater depth in later chapters, but it’s important here to review what Chapter 1 said about DIKW, or data, information, knowledge, and wisdom:

* Data are the individual facts, observations, or elements of a measurement, such as a person’s name or their residential address.
* Information results when we process data in various ways; information is data plus conclusions or inferences.
* Knowledge is a set of broader, more general conclusions or principles that we’ve derived from lots of information.
* Wisdom is (arguably) the insightful application of knowledge; it is the “a-ha!” moment in which we recognize a new and powerful insight that we can apply to solve problems with or to take advantage of a new opportunity—or to resist the temptation to try!

### Availability

Is the data there, when we need it, in a form we can use?

We make decisions based on information; whether that is new information we have gathered (via our data acquisition systems) or knowledge and information we have in our memory, it’s obvious that if the information is not where we need it, when we need it, we cannot make as good a decision as we might need to:

* The information might be in our files, but if we cannot retrieve it, organize it, and display it in ways that inform the decision, then the information isn’t available.

* If the information has been deleted, by accident, sabotage, or systems failure, then it’s not available to inform the decision.

These might seem obvious, and they are. Key to availability requirements is that they specify what information is needed; where it will need to be displayed, presented, or put in front of the decision makers; and within what span of time the data is both available (displayed to the decision makers) and meaningful. Yesterday’s data may not be what we need to make today’s decision.

## Understand Security Concepts

## Document, Implement, & Maintain Functional Security Controls

## Participate in Asset Management

## Implement Security Controls & Assess Compliance

## Participate in Change Management

## Participate in Security Awareness & Training

## Participate in Physical Security Operations (e.g., Data Center Assessment, Badging)