CISSP study notes: Personnel safety and risk management concepts

Enterprise 2023-10-04 21:05:11 views: null

Chapter 2 Personnel Safety and Risk Management Concepts

2.1 Promote personnel safety strategies

  • Segregation of duties: Allocate critical, important and sensitive work tasks to a number of different administrators or senior executives to prevent collusion
  • Job Responsibilities: Principle of Least Privilege
  • Job rotation: Provides knowledge redundancy to reduce the risk of forgery, data alteration, theft, sabotage and information misuse, and also provides peer auditing to prevent collusion

2.1.1 Screening candidates

Screening method:

  1. background check
  2. Social network account review

2.1.2 Employment Agreements and Strategies

  • employment agreement
  • confidentiality agreement

2.1.3 Process for terminating employees

2.1.4 Supplier, consultant and contractor controls

SLA: service level agreement

2.1.5 Compliance

Compliance is the act of conforming to or adhering to rules, policies, regulations, standards or requirements

2.1.6 Privacy

2.2 Security Governance

  • Security governance is the collection of practices that support, define and guide an organization's security efforts
  • Third Party Governance: Oversight mandated by laws, regulations, industry standards, contractual obligations, or licensing requirements

2.3 Understand and apply risk management concepts

2.3.1 Risk terminology

  • Asset: Anything in the environment that should be protected
  • Asset Valuation: The monetary value assigned to an asset based on actual costs and non-monetary expenditures
  • Threat: Anything that could happen that would have undesirable or unintended consequences for an organization or some specific asset
  • Vulnerability: A weakness in an asset or lack of safeguards/countermeasures is known as vulnerability
  • Exposure: Susceptibility to asset loss due to a threat. Exposure does not mean that the implemented threat actually occurs, only that if a vulnerability exists and the threat can exploit the vulnerability
  • Risk: The possibility that a certain threat exploits a vulnerability and causes asset damage Risk = Threat * Vulnerability, the overall goal of security is to eliminate vulnerabilities and long-term threat entities and threaten financial security over time, thereby avoiding risks becoming a reality
  • Protective measure: Any method that eliminates a vulnerability or counteracts one or more specific threats
  • Attack: An occurrence in which a security mechanism is bypassed or blocked by a threat actor
  • Summary: Relationships between Risk Concepts

2.3.2 Identify threats and vulnerabilities

IT threats are not limited to IT sources

2.3.3 Risk assessment/analysis

Quantitative risk analysis

  1. Exposure Factor (EF): The percentage of loss resulting from a specific asset being damaged by an implemented risk
  2. Single Loss Expectation (SLE): Cost associated with a single implemented risk for a specific asset SLE = Asset Value (AV) * Exposure Factor (EF)
  3. Annual Occurrence Rate (ARO): The estimated frequency with which a specific threat or risk will occur in a year
  4. Annual Loss Expectation (ALE): The annual loss cost that all implemented threats may cause to a specific asset ALE = SLE * ARO
  5. Calculate annual loss expectations when using protective measures
  6. Calculate the cost of protective measures (ALE1-ALE2) - ACS
    • ALE1: ALE that does not take countermeasures for a certain asset and threat combination
    • ALE2: ALE that takes countermeasures against a combination of assets and threats
    • ACS: annual cost of protective measures

Qualitative risk analysis

  • Scenario, a written description of a single major threat
  • Delphi Technique: Simple Anonymous Feedback and Response Process

2.3.4 Risk allocation/acceptance

  • Risk Mitigation: The implementation of protective measures that eliminate vulnerabilities or threats to an organization
  • Risk transfer: transferring the losses caused by risks to another entity or organization
  • Risk acceptance: uniformly accept the consequences and losses caused by the occurrence of risks
  • Risk Denial: Denying that a risk exists and hoping that the risk will never occur
  • Total risk calculation formula: Threat * Vulnerability * Asset Value = Total Risk
  • Residual risk calculation formula: total risk - control gap = residual risk

2.3.5 Selection and evaluation of countermeasures

The selection of countermeasures within the scope of risk management mainly relies on cost/benefit analysis

2.3.6 Implementation

  • Technical control: using technology to control risks
  • Examples of technical controls: authentication, encryption, restricted ports, access control lists, protocols, firewalls, routers, intrusion detection systems, threshold systems
  • Administrative controls: Policies and procedures defined in accordance with the organization's security management policy and other security specifications or requirements
  • Physical controls: Deploy physical barriers. Physical access controls prevent direct access to parts of the system or facility.

2.3.7 Control type

  • Deterrence: To deter violations of security policies
  • Prevention: Preventing unwanted and unauthorized activity from occurring
  • Detection: Discovering unwanted or unauthorized activity
  • Compensation: Provide various options to other existing access controls
  • Correction: Restore the system to a normal state after detecting unwanted or unauthorized operations
  • Recovery: more advanced than corrective access control, such as backup and restore, system mirroring, clustering
  • Directive: Instructing, restricting, or controlling a subject's activities to force or encourage the subject to comply with security policies

2.3.8 Monitoring and measurement

  • The benefits of security control improvements should be measurable and measurable

2.3.9 Asset Valuation

2.3.10 Continuous improvement

  • Security is always changing

2.3.11 Risk framework

  • Classification classifies information systems and information processed, stored and transmitted based on impact analysis
  • Select initialization baseline and security baseline based on security classification.
  • Implement security controls and describe how operations are deployed in information systems and operating environments
  • Assessment Evaluate safety systems using appropriate assessment procedures
  • Authorize
  • Monitor the security control of uninterrupted surveillance information systems

2.4 Establish and manage information security education, training and awareness

  • The goal of building security awareness is to put security first and make users aware of it

2.5 Managing security functions

  • Security must be cost-effective
  • Security must be measurable

Guess you like

Origin blog.csdn.net/Runnymmede/article/details/133364253
Recommended
TIOBE May list: Fortran “resurrected” into Top 10
GCC 14.1 released
Ranking
B. Little Girl and Game【1300 / 回文字符串 博弈论】
CIKERS Shane 20190613
"Javascript advanced programming" study notes - the constructor and prototype
beeline hiveserver2 start
springboot - Automatically backup mysql data every day
Data Storage Full Solution--Detailed Persistence Technology
Detailed Explanation of Spring Web MVC DispatcherServlet—Official Original
TCP / IP protocol layers structure and function
Command type literal pos: unknown; Fallback type literal pos: unknown] with root cause
Design of multifunctional curtain controller with indoor anti-theft alarm
Daily
More
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)

Code World

© 2018 codetd.com