7 hours 35 minutes
Hey, guys, Welcome to another video in the s s C P exam series.
I'm your host, Peter Sibilant.
This is the eighth lesson in the second domain
so far in the second domain looked at the code of ethics, which is the required behavior for an Asset CP practitioner. We've looked at the C I A Triad, which is the fundamental aspect of soccer security. We've looked at security architecture, howto build frameworks for security systems
as well as how to control them. Using
managerial, operational and technical controls.
We've looked at system security plans and how to securely develop systems and how that when we securely developed systems, it reduces system vulnerabilities.
We've looked at data and how to prevent it from being leaked.
And we started to look at management,
different types of management and how to manage different aspects of a system. Now, in today's lesson, we'll continue to look at management. Specifically, configuration management, which manages the changes of features within systems and patch management had a handle on our buildings. Also in this lesson,
look at security awareness and training
and why it is imperative to make sure everyone in the organization is on the same page. When it comes to security, let's get started.
Configuration management configuration management is a discipline that seeks to manage configuration changes so that they are appropriately approved and documented, so the integrity of the security state is maintained. The whole point of configuration management
is to maintain the integrity of hardware and software across
Now this sounds like a lot would change management, but there are actually two different concepts, although they are very similar.
Change management focuses on changes to project processes or project baselines, so things such as
changes in the budget changed in the schedule et cetera.
Configuration management, on the other hand,
focuses on projects specifications. So this is things like extra features, which may be added or subtracted
to a particular project.
Configuration management system consists off automated tools,
so tools that will handle version checking any type of conflict
or anything like that.
which is a hardware list which would include information about all of the different pieces of hardware and software. So it would include information such as the Make model Mac address software, name,
a number of licenses, the expiration date of those licenses and things like that.
Consider figuration Management also consists of procedures, a step by step process for properly configuring the hardware and software so that the number of conflicts is reduced.
There are four main operational aspects for configuration man. They are identification,
accounting and auditing.
Inventories are also kept for integrity and validation.
Certain voices, especially things like computers or software. There could be hundreds of configuration possibilities, so it's a pro in to document all of them to make sure that all the hardware and software is operating at the same
base line that they're supposed to be operating at
and that they saw successful. We solved the problems and do what they are supposed to do.
This is how the configuration management process works. It starts out by identifying the device,
and then controls are applied to this device.
The controls are then tracked through accounting to make sure they're operating as they are supposed to. And finally, the auditing takes place to determine if the control and the configuration inventories are being properly documented.
Let's look at these steps a little bit closer.
Identification captures and maintains information about the structure of the system.
This is usually stored in a configuration management database. Awesome and as a C M D P
configuration changes are controlled through about the life cycle. The controls implemented are four governing change requests, approvals, impact analysis, bug tracking on DTH e, systematic propagation of changes,
accounting tracks and reports on the status of the configuration. History. Auditing is the process of looking through the configuration items to ensure that they are solving the problems that they were intended to solve, if not
in the process. Circles back to control
and the cycle is repeated. Patch Management
Patch Management is the process of applying system changes to correct software and firmware vulnerabilities. No system is 100% safe or 100% secure.
After a while, vulnerabilities are discovered. Bugs Air found new technology is invented, which puts the security of the systems at D, in which case a patch must be implemented. A patch is not a whole new system. It is a very small piece off
code or portion off the system
which is installed to the system and integrated so that it handles whatever vulnerability has come about.
Process of patch management includes acquisition, said the patches are supplied usually from the vendor's Web site and then download the patches are tested to make sure they work is expected on the integration is seamless
the approval process. Once the patches have been tested, they need to be approved by upper management.
Once this is done, they're packaged up, and they are sent out for the distribution and installation of the patch.
During the deployment, the patches applied toothy target system, and then it is monitored and track to make sure if the patch will a successful or if it failed or what The outcome of applying the patch was
a couple of terms you will run into when talking about configuration management or patch management or any really, any of the four management's that we have spoke of
on the first is the security impact assessment.
This is the analysis conducted with an organization to determine the extent of the changes to the information system and how they impact the security posture. So any time there is a change or new release or patches of replied
is important to do the security impact assessment
to see if the security impact from this change that differs any from the baseline
Another term you'll see, is the interoperability of a system.
So this is the extent to which systems and the voices can exchange, then receive interpret any data between them. So if the system has a lot of interoperability, it is known as an open system
where a lot of data can be passed back and forth between systems.
If there is very little interoperability,
it is known as a closed system where the information that is inside the system has to stay inside the system.
Security awareness and training
seeks to reduce human air by educating people about cyber secured. This is very, very important. Is actually one of the pillars in the code of ethics switches advanced the profession so is very important for the S S c P practitioner. To educate
people buy cybersecurity
security is only as strong as its weakest link. That's why a lot of defense is in depth are implemented and there is a very big push to help people be aware to different cyber situations. A lot hinges on um
critical success factor, said these things like a senior management
culture, awareness, communication
and taking a solid change management approach but also measuring the changes to actually know if
a change is successful or if security awareness is going up within a network or organization.
In today's lecture,
configuration and patch management, and we've also talked about security awareness and training and how it is very important for an organization
documenting and recording all of the hardware and software components of a system is an action of
a configuration management.
Be patch management,
see released management or D change management.
If you said a configuration management, then you are correct. Remember, all many, many hardware and software components have hundreds or even possibly thousands, off different configuration possibilities. And it's very important to keep all of these different configurations
managed in a safe and control way
to maintain the integrity of the system.
Thanks for washing guys. I really hope you learned a lot in this video, and I'll see you next time
ISC2 Systems Security Certified Practitioner (SSCP) Practice Assessment
The SSCP exam preparation package helps students prepare for the ISC2 SSCP certification exam. ...
(ISC)2 Certified Information Systems Security Professional 2015
(ISC)2 Certified Information Systems Security Professional 2015 is a practice exam preparing for the CISSP ...