[Notes] Chapter 2: Personnel Security and Risk Management Concepts

[Notes] Chapter 2: Personnel Security and Risk Management Concepts

Personnel Security Policies and Procedures:

  • Humans are often the weakest link in security.
  • Job descriptions play a vital role in security, as they specify necessary security access for job responsibilities.
  • Separation of duties divides critical tasks among individuals to prevent subversion of security mechanisms.
  • The principle of least privilege grants the minimum access necessary for employees to perform their duties.
  • Job rotation and cross-training help reduce the risk of fraud and misuse by detecting irregularities.
  • Job descriptions are essential during hiring and throughout an organization’s lifespan.
  • Onboarding and offboarding are processes for adding and removing employees.
  • Termination procedures include revoking access, conducting exit interviews, and ensuring offboarding employees don’t attempt re-entry.

Vendor, Consultant, and Contractor Agreements and Controls:

  • Vendor controls and Service Level Agreements (SLAs) define expectations for external organizations and individuals.
  • SLAs often include system uptime, maximum downtime, and responsibility for security.

Privacy Policy Requirements:

  • Privacy involves preventing unauthorized access and observations.
  • Personally Identifying Information (PII) includes data traceable to a specific person, such as SSNs and email addresses.
  • Privacy legislation examples: HIPAA, SOX, FERPA, Gramm-Leach-Bliley, GDPR, and PCI DSS.

Security Governance:

  • Security governance supports defines, and directs security efforts, sometimes mandated by law.
  • Documentation review precedes on-site inspections.
  • Authorization to Operate (ATO) is relevant in military and government contracts.

Risk Management Concepts:

  • Risk is the possibility of damage, destruction, or data disclosure.
  • Risk management identifies and evaluates risk factors, implements cost-effective countermeasures, and reduces risk to an acceptable level.
  • Assets are important items to protect, often assigned a dollar value.
  • Threats are potential occurrences causing unwanted outcomes for assets.
  • Vulnerability is a weakness in an asset or the absence of safeguards.
  • Exposure is vulnerability to asset loss due to a threat.
  • Risk is the possibility of a threat exploiting a vulnerability and harming an asset.
  • Safeguards reduce vulnerabilities or protect against threats.
  • Attack is the exploitation of a vulnerability by a threat agent.
  • Breach occurs when security mechanisms are bypassed.

Risk Assessment/Analysis:

  • Quantitative risk analysis assigns dollar values to asset loss.
  • Qualitative risk analysis uses subjective values, scenarios, and consensus techniques.
  • Risk responses include mitigation, assignment, acceptance, deterrence, avoidance, rejection, residual risk, and total risk.

Countermeasure Selection and Implementation:

  • Countermeasures should have a cost lower than the asset, with a result that makes the cost of an attack greater than benefits.
  • They should address real problems, be testable, provide consistent protection, and require minimal human intervention.

Types of Controls:

  • Controls can be technical, administrative, or physical.
  • Security controls include deterrent, preventative, detective, compensating, corrective, recovery, and directive.
  • Security Control Assessment (SCA) involves evaluating mechanisms against baselines.

Continuous Improvement:

  • Risk analysis is periodically revisited as it is a point-in-time assessment.

Risk Frameworks:

  • The NIST Risk Management Framework (RMF) involves categorizing information, selecting controls, implementing and assessing them, authorizing system operation, and ongoing monitoring.

Security Awareness, Education, and Training:

  • Awareness is a prerequisite for security training, making users recognize the importance of security.
  • Training teaches employees how to perform their tasks and comply with security policies.
  • Education involves more detailed training beyond job requirements.

Manage the Security Function:

  • Measurable security provides clear benefits, and metrics are recorded and analyzed for effectiveness.

Leave a Reply

Your email address will not be published. Required fields are marked *