[Notes] Chapter 2: Personnel Security and Risk Management Concepts

Personnel Security Policies and Procedures:

• Humans are often the weakest link in security.
• Job descriptions play a vital role in security, as they specify necessary security access for job responsibilities.
• Separation of duties divides critical tasks among individuals to prevent subversion of security mechanisms.
• The principle of least privilege grants the minimum access necessary for employees to perform their duties.
• Job rotation and cross-training help reduce the risk of fraud and misuse by detecting irregularities.
• Job descriptions are essential during hiring and throughout an organization’s lifespan.
• Onboarding and offboarding are processes for adding and removing employees.
• Termination procedures include revoking access, conducting exit interviews, and ensuring offboarding employees don’t attempt re-entry.

Vendor, Consultant, and Contractor Agreements and Controls:

• Vendor controls and Service Level Agreements (SLAs) define expectations for external organizations and individuals.
• SLAs often include system uptime, maximum downtime, and responsibility for security.

Privacy Policy Requirements:

• Privacy involves preventing unauthorized access and observations.
• Personally Identifying Information (PII) includes data traceable to a specific person, such as SSNs and email addresses.
• Privacy legislation examples: HIPAA, SOX, FERPA, Gramm-Leach-Bliley, GDPR, and PCI DSS.

Security Governance:

• Security governance supports defines, and directs security efforts, sometimes mandated by law.
• Documentation review precedes on-site inspections.
• Authorization to Operate (ATO) is relevant in military and government contracts.

Risk Management Concepts:

• Risk is the possibility of damage, destruction, or data disclosure.
• Risk management identifies and evaluates risk factors, implements cost-effective countermeasures, and reduces risk to an acceptable level.
• Assets are important items to protect, often assigned a dollar value.
• Threats are potential occurrences causing unwanted outcomes for assets.
• Vulnerability is a weakness in an asset or the absence of safeguards.
• Exposure is vulnerability to asset loss due to a threat.
• Risk is the possibility of a threat exploiting a vulnerability and harming an asset.
• Safeguards reduce vulnerabilities or protect against threats.
• Attack is the exploitation of a vulnerability by a threat agent.
• Breach occurs when security mechanisms are bypassed.

Risk Assessment/Analysis:

• Quantitative risk analysis assigns dollar values to asset loss.
• Qualitative risk analysis uses subjective values, scenarios, and consensus techniques.
• Risk responses include mitigation, assignment, acceptance, deterrence, avoidance, rejection, residual risk, and total risk.

Countermeasure Selection and Implementation:

• Countermeasures should have a cost lower than the asset, with a result that makes the cost of an attack greater than benefits.
• They should address real problems, be testable, provide consistent protection, and require minimal human intervention.

Types of Controls:

• Controls can be technical, administrative, or physical.
• Security controls include deterrent, preventative, detective, compensating, corrective, recovery, and directive.
• Security Control Assessment (SCA) involves evaluating mechanisms against baselines.

Continuous Improvement:

• Risk analysis is periodically revisited as it is a point-in-time assessment.

Risk Frameworks:

• The NIST Risk Management Framework (RMF) involves categorizing information, selecting controls, implementing and assessing them, authorizing system operation, and ongoing monitoring.

Security Awareness, Education, and Training:

• Awareness is a prerequisite for security training, making users recognize the importance of security.
• Training teaches employees how to perform their tasks and comply with security policies.
• Education involves more detailed training beyond job requirements.

Manage the Security Function:

• Measurable security provides clear benefits, and metrics are recorded and analyzed for effectiveness.