Chapter 2 Personnel Safety and Risk Management Concepts
2.1 Promote personnel safety strategies
- Segregation of duties: Allocate critical, important and sensitive work tasks to a number of different administrators or senior executives to prevent collusion
- Job Responsibilities: Principle of Least Privilege
- Job rotation: Provides knowledge redundancy to reduce the risk of forgery, data alteration, theft, sabotage and information misuse, and also provides peer auditing to prevent collusion
2.1.1 Screening candidates
Screening method:
- background check
- Social network account review
2.1.2 Employment Agreements and Strategies
- employment agreement
- confidentiality agreement
2.1.3 Process for terminating employees
2.1.4 Supplier, consultant and contractor controls
SLA: service level agreement
2.1.5 Compliance
Compliance is the act of conforming to or adhering to rules, policies, regulations, standards or requirements
2.1.6 Privacy
2.2 Security Governance
- Security governance is the collection of practices that support, define and guide an organization's security efforts
- Third Party Governance: Oversight mandated by laws, regulations, industry standards, contractual obligations, or licensing requirements
2.3 Understand and apply risk management concepts
2.3.1 Risk terminology
- Asset: Anything in the environment that should be protected
- Asset Valuation: The monetary value assigned to an asset based on actual costs and non-monetary expenditures
- Threat: Anything that could happen that would have undesirable or unintended consequences for an organization or some specific asset
- Vulnerability: A weakness in an asset or lack of safeguards/countermeasures is known as vulnerability
- Exposure: Susceptibility to asset loss due to a threat. Exposure does not mean that the implemented threat actually occurs, only that if a vulnerability exists and the threat can exploit the vulnerability
- Risk: The possibility that a certain threat exploits a vulnerability and causes asset damage Risk = Threat * Vulnerability, the overall goal of security is to eliminate vulnerabilities and long-term threat entities and threaten financial security over time, thereby avoiding risks becoming a reality
- Protective measure: Any method that eliminates a vulnerability or counteracts one or more specific threats
- Attack: An occurrence in which a security mechanism is bypassed or blocked by a threat actor
- Summary: Relationships between Risk Concepts
2.3.2 Identify threats and vulnerabilities
IT threats are not limited to IT sources
2.3.3 Risk assessment/analysis
Quantitative risk analysis
- Exposure Factor (EF): The percentage of loss resulting from a specific asset being damaged by an implemented risk
- Single Loss Expectation (SLE): Cost associated with a single implemented risk for a specific asset SLE = Asset Value (AV) * Exposure Factor (EF)
- Annual Occurrence Rate (ARO): The estimated frequency with which a specific threat or risk will occur in a year
- Annual Loss Expectation (ALE): The annual loss cost that all implemented threats may cause to a specific asset ALE = SLE * ARO
- Calculate annual loss expectations when using protective measures
- Calculate the cost of protective measures (ALE1-ALE2) - ACS
- ALE1: ALE that does not take countermeasures for a certain asset and threat combination
- ALE2: ALE that takes countermeasures against a combination of assets and threats
- ACS: annual cost of protective measures
Qualitative risk analysis
- Scenario, a written description of a single major threat
- Delphi Technique: Simple Anonymous Feedback and Response Process
2.3.4 Risk allocation/acceptance
- Risk Mitigation: The implementation of protective measures that eliminate vulnerabilities or threats to an organization
- Risk transfer: transferring the losses caused by risks to another entity or organization
- Risk acceptance: uniformly accept the consequences and losses caused by the occurrence of risks
- Risk Denial: Denying that a risk exists and hoping that the risk will never occur
- Total risk calculation formula: Threat * Vulnerability * Asset Value = Total Risk
- Residual risk calculation formula: total risk - control gap = residual risk
2.3.5 Selection and evaluation of countermeasures
The selection of countermeasures within the scope of risk management mainly relies on cost/benefit analysis
2.3.6 Implementation
- Technical control: using technology to control risks
- Examples of technical controls: authentication, encryption, restricted ports, access control lists, protocols, firewalls, routers, intrusion detection systems, threshold systems
- Administrative controls: Policies and procedures defined in accordance with the organization's security management policy and other security specifications or requirements
- Physical controls: Deploy physical barriers. Physical access controls prevent direct access to parts of the system or facility.
2.3.7 Control type
- Deterrence: To deter violations of security policies
- Prevention: Preventing unwanted and unauthorized activity from occurring
- Detection: Discovering unwanted or unauthorized activity
- Compensation: Provide various options to other existing access controls
- Correction: Restore the system to a normal state after detecting unwanted or unauthorized operations
- Recovery: more advanced than corrective access control, such as backup and restore, system mirroring, clustering
- Directive: Instructing, restricting, or controlling a subject's activities to force or encourage the subject to comply with security policies
2.3.8 Monitoring and measurement
- The benefits of security control improvements should be measurable and measurable
2.3.9 Asset Valuation
2.3.10 Continuous improvement
- Security is always changing
2.3.11 Risk framework
- Classification classifies information systems and information processed, stored and transmitted based on impact analysis
- Select initialization baseline and security baseline based on security classification.
- Implement security controls and describe how operations are deployed in information systems and operating environments
- Assessment Evaluate safety systems using appropriate assessment procedures
- Authorize
- Monitor the security control of uninterrupted surveillance information systems
2.4 Establish and manage information security education, training and awareness
- The goal of building security awareness is to put security first and make users aware of it
2.5 Managing security functions
- Security must be cost-effective
- Security must be measurable