250 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
secret activities, or beyond. Seek out relevant government standards that may apply
to your particular situation. Or, if your organization is a high visibility target for cor-
porate espionage or organized crime, you may benet from researching government
standards and incorporating them into your own security management program.
e big focus here is on information leakage from paper documents, cyber data, and
conversations in house, on a phone, or on video-conference equipment. e methods
to illicitly obtain information are many and varied; likewise, so are the safeguards.
Managed Security Services
If you use managed security services (MSSs), then you must also consider the envi-
ronment of the outsourcer. Your operations, data, reputation, and survivability now
also depend on ecient and secure outsourcer operations. is means that you
need to understand and inuence their operations to ensure that they represent
your organization’s best interests.
Address MSS physical security requirements in the business partner agreement
and SLAs. Also, provide the ability for you to assess the MSS environment for com-
pliance with the business agreement.
Local and Distributed
If your organization transports data o site, then physical security requirements
apply to physical transportation. is includes the type of media, protection of data
on media, protection of media in transport vehicles, procedures for the driver, and
media checkout/check-in procedures. Be aware that your domestic laws may vary
from foreign laws where you have operations; the use of encryption may be ne in
the United States, but not ne at all in some Eastern countries. is applies to both
businesses operations in the local country as well as organization employees travel-
ing in that country.
Mission Assurance
In a given environment, people perform processes using technology to produce results.
e results are the achievement of the business purpose and the fulllment of the
business mission. e successful execution of a software program may contribute to
the fulllment of the business mission, but successful execution is not the business
mission. Safeguarding the data center may contribute to the business mission, but
a safe data center is not the business mission.
e traditional focus on information assurance (IA) or computer security is
on the technology, i.e., ensuring the software application runs and the data center
is safe. As the material herein shows, technology is certainly important but is far
from the only consideration. Another habitual focus of information assurance and