Exam Essentials: Chapter 2

Posted byChrisPosted inUncategorized

Chapter 2: Personnel Security & Risk Management Concepts

Understand the security implications of hiring new employees

  • To properly plan for security, you must have standards in place for:
    • job descriptions
    • job classification
    • work tasks
    • job responsibilities
    • preventing collusion
    • candidate screening
    • background checks
    • security clearances
    • employment agreements
    • non-disclosure agreements
  • By deploying such mechanisms, you ensure that new hires are aware of the required security standards, thus protecting your organisation’s assets.

Be able to explain separation of duties

  • Separation of duties is the security concept of dividing critical, significant, sensitive work tasks among several individuals.
  • By separating duties in this manner, you ensure that no one person can compromise system security.

Understand the principle of least privilege

  • The principle of least privilege states that, in a secured environment, users should be granted the minimum amount of access necessary for them to complete their required work tasks or job responsibilities.
  • By limiting user access only to those items that they need to complete their work tasks, you limit the vulnerability of sensitive information.

Know why job rotation & mandatory vacations are necessary

  • Job rotation serves two functions:
    • it provides a type of knowledge redundancy
    • moving personnel around reduces the risk of fraud, data modification, theft, sabotage & misuse of information
  • Mandatory vacations of 1-2 weeks are used to audit & verify the work tasks & privileges of employees. This often results in easy detection of abuse, fraud or negligence.

Understand vendor, consultant & contractor controls

  • Vendor, consultant & contractor controls are used to define the levels of performance, expectation, compensation & consequences for entities, persons or organisations that are external to the primary organisation.
  • Often defined in an SLA.

Be able to explain proper employee termination policies

  • A termination policy should include items such as:
    • always having a witness
    • disabling the employee’s network access
    • performing an exit interview
    • escorting the terminated employee off the premises
    • the return of security tokens/badges & other company property

Know how privacy fits into the realm of IT security

  • Know the multiple meanings/definitions of privacy, why it is important to protect, and the issues surrounding it, especially in a work environment.

Be able to discuss third-party governance

  • Third-party governance is the system of oversight that may be mandated by law, regulation, industry standards or licensing requirements.

Be able to define overall risk management

  • Risk management is:
    • the process of identifying factors that could damage or disclose data
    • evaluating those factors in light of data value & countermeasure cost
    • implementing cost-effective solutions for mitigating or reducing risk
  • By performing RM, you lay the foundation for reducing overall risk.

Understand risk analysis & the key elements involved

  • Risk analysis is the process by which upper management is provided with details to make decisions about which risks are to be mitigated, which should be transferred and which should be accepted.
  • To fully evaluate risks and subsequently take proper precautions, you must analyse the following:
    • assets
    • asset valuation
    • threats
    • vulnerability
    • exposure
    • risk
    • realised risk
    • safeguards
    • countermeasures
    • attacks
    • breaches

Know how to evaluate threats

  • Threats can originate from numerous sources, including IT, humans & nature.
  • Threat assessment should be performed as a team effort to provide the widest range of perspectives.
  • By fully evaluating risks from all angles, you reduce your system’s vulnerability.

Understand quantitative risk analysis

  • Quantitive risk analysis focuses on hard values & percentages.
  • A complete quantitative analysis is not possible because of intangible aspects of risk.
  • The quantitative RA process involves asset valuation & threat investigation, followed by determining the threat’s potential frequency & the resulting damage; the result is a cost/benefit analysis of safeguards.
  • Key terms include:
    • Asset value (AV): The value of an asset, expressed as a $ amount.
    • Exposure factor (EF): Represents the %age of loss that an organisation would experience if a specific asset were violated by a realised risk. By calculating EFs, you are able to implement a sound RM policy.
    • Single loss expectancy (SLE): Represents the cost associated with a single realised risk against a specific asset. SLE = AV * EF
    • Annualised rate of occurrence (ARO): Represents the expected frequency with which a specific threat or risk will occur within a single year.
    • Annualised loss expectancy (ALE): Represents the possible yearly cost of all instances of a specific realised threat against a specific asset. ALE = SLE * ARO
  • To evaluate the cost/benefit of a safeguard, you must determine the annual cost of the safeguard, and the ALE for the asset after the safeguard is implemented. Value of cost to the company = ALE before safeguard – ALE after safeguard is implemented – annual cost of safeguard, i.e. Value = (ALE1 – ALE2) – ACS

Understand qualitative risk analysis

  • Qualitative RA is based on scenarios rather than calculations.
  • Exact $ figures are not assigned to possible losses; instead threats are ranked on a a scale to evaluate their risks, costs & effects; this assists those responsible in creating proper RM policies.
  • The Delphi technique, often used in qualitative RA, is an anonymous feedback-and-response process used to arrive at a consensus; this gives the responsible parties the opportunity to properly evaluate risks & implement solutions.

Know the options for handling risk

  • Reducing risk, or risk mitigation, is the implementation of safeguards & countermeasures.
  • Assigning/transferring risk places the cost of loss a risk represents onto another entity/organisation. Purchasing insurance is one form of transferring risk.
  • Accepting risk means that the management has decided that the cost/benefit analysis of possible safeguards and has determined that the cost of the countermeasure greatly outweighs the possible cost of loss due to a risk. It also means that management has agreed to accept the consequences and the loss of the risk is realised.

Be able to explain total risk, residual risk & controls gap

  • Total risk is the amount of risk an organisation would face if no safeguards were implemented.
  • Total risk = Threats * Vulnerabilities * Asset Value
  • Residual risk is the risk that management has chosen to accept rather than mitigate.
  • The difference between total risk and residual risk is the controls gap, which is the amount of risk that is reduced by implementing safeguards.
  • Residual risk = Total risk – Controls gap

Understand control types

  • The term control refers to a broad range of controls that perform such tasks as ensuring that only authorised users can log on, and preventing unauthorised users from gaining access to resources.
  • Control types include:
    • preventive
    • detective
    • corrective
    • deterrent
    • recovery
    • directive
    • compensation.
  • Controls can also be categorised by how they are implemented:
    • administrative
    • logical (technical)
    • physical.

Know how to implement security awareness & education

  • Before actual training can take place, awareness of security as a recognised entity must be created for users.
  • Once this is accomplished, training (teaching employees to perform their work tasks and to comply with security policy) can begin
  • All new employees require some level of training so they will be able to comply with all standards, procedures & guidelines mandated by policy.
  • Education is a more detailed endeavour in which students learn much more than they actually need to know in order to perform their work tasks; this is often associated with users pursuing certification or job promotion.

Understand how to manage the security function

  • To manage the security function, an organisation must implement proper & sufficient security governance.
  • The act of performing a risk assessment to drive the security policy is the clearest & most direct example of management of the security function.
  • This also relates to budget, metrics, resources, information security strategies, and assessing the completeness & effectiveness of the security program.

Know the six steps of the risk management framework

  • Categorise
  • Select
  • Implement
  • Assess
  • Authorise
  • Monitor

Leave a comment

Design a site like this with WordPress.com
Get started