Wondershare EdrawMind
MindMap Gallery CISSP Study Notes-2 (Concepts of Personnel Safety and Risk Management)
- 35
CISSP Study Notes-2 (Concepts of Personnel Safety and Risk Management)
It records in detail the key knowledge points and test points related to Chapter 2 of CISSP, Personnel Safety and Risk Management, and has several review questions.
Edited at 2024-01-23 15:59:36
- bacteria
This is a mind map about bacteria, and its main contents include: overview, morphology, types, structure, reproduction, distribution, application, and expansion. The summary is comprehensive and meticulous, suitable as review materials.
- Plant asexual reproduction
This is a mind map about plant asexual reproduction, and its main contents include: concept, spore reproduction, vegetative reproduction, tissue culture, and buds. The summary is comprehensive and meticulous, suitable as review materials.
- Reproductive development of animals
This is a mind map about the reproductive development of animals, and its main contents include: insects, frogs, birds, sexual reproduction, and asexual reproduction. The summary is comprehensive and meticulous, suitable as review materials.
CISSP Study Notes-2 (Concepts of Personnel Safety and Risk Management)
- bacteria
This is a mind map about bacteria, and its main contents include: overview, morphology, types, structure, reproduction, distribution, application, and expansion. The summary is comprehensive and meticulous, suitable as review materials.
- Plant asexual reproduction
This is a mind map about plant asexual reproduction, and its main contents include: concept, spore reproduction, vegetative reproduction, tissue culture, and buds. The summary is comprehensive and meticulous, suitable as review materials.
- Reproductive development of animals
This is a mind map about the reproductive development of animals, and its main contents include: insects, frogs, birds, sexual reproduction, and asexual reproduction. The summary is comprehensive and meticulous, suitable as review materials.
- Recommended to you
- Outline
CISSP Study Notes-2 (Concepts of Personnel Safety and Risk Management)
1-Summary of knowledge points
Personnel Security Policies and Procedures
The most vulnerable elements, with proper training, can become critical security assets and valuable partners in security efforts
Job description and responsibilities
Job descriptions should consider safety issues
Define the roles that need to be assigned to employees, and the roles are consistent with privileges and tasks
Responsibilities list is the way to assign access rights, permissions and privileges
Not recruitment, full life cycle
Candidate screening and recruitment
Onboarding: Employment Agreements and Strategies
The principle of least privilege and access rights
NDA confidentiality agreement
Employee's job responsibilities change, access new assets, sign additional NDA's
Employee supervision
Work tasks and privileges will drift, and too many privileges will increase organizational risks
compulsory leave
Other employees use their accounts to perform their job duties, detect abuse, fraud, or negligence, and verify job tasks and privileges
Segregation of duties, job rotation, cross-training, and forced time off can reduce risk-collusion
UBA: User Behavior Analysis UEBA: User and Entity Behavior Analysis Can improve personnel safety policies, procedures, training and related safety oversight programs
Separation, Transfer and Termination Process
Offboarding procedures may also be used when employees move to a different department, facility, or physical location
Personnel transfer may be considered firing/rehiring
Factors in deciding which program to use include:
Whether to keep the same user account
whether to adjust their permissions
Are the new job responsibilities similar to the previous position?
Do you need a new account with a clean history?
Does the new job position require an audit?
Supplier, Consultant and Contractor Agreements and Controls
Using a Service Level Agreement (SLA) is a way to ensure that service levels are provided
SLAs and supplier, consultant and contractor controls are an important part of mitigating letter and risk avoidance
Outsourcing is a response that transfers or assigns risk
VMS supplier management system functions:
Convenient ordering
order distribution
Order training
Unified billing
Compliance policy requirements
Benefits of Compliance
high quality
consistency
efficiency
save costs
DAMAGES FROM COMPLIANCE BREACH
profit
market share
Approval
reputation
Compliance enforcement refers to the imposition of sanctions or consequences for failure to comply with policies, training, best practices, regulations
Compliance Enforcement Executive
CISO or CEO
Employee managers and supervisors
Auditors and third-party regulators
Privacy Policy Requirements
privacy definition
Proactively protect against unauthorized access to personally identifiable information, Personally Identifiable Information (PII)
Prevent unauthorized access to personal or confidential information
To prevent being observed, monitored or inspected without consent or knowledge
IT sector deals with privacy
Understand and apply risk management concepts
Overview
The results of the first risk management are the basis for formulating security strategies
Subsequent risk management events are used to improve and maintain the organization's security infrastructure
Risk management components:
Risk Assessment (Analysis)
Assess the likelihood of occurrence
Losses caused after actual release
Evaluate the costs of various risk control measures
The results of the above three items rank the risk priorities.
risk response
Use cost/benefit analysis
Evaluate risk controls, safeguards and security controls
Deploy selected corresponding measures into the IT infrastructure and describe them in the security policy document
Risk awareness
Risk terms and concepts
Asset Valuation
Identify threats and vulnerabilities
Risk assessment/analysis
Quantitative analysis
Calculate asset losses using actual monetary value based on mathematical calculations
Qualitative analysis
Represent asset losses in subjective and intangible terms, taking into account opinions, feelings, intuition, preferences, thoughts and gut reactions
Qualitative risk analysis techniques
Scenes
Delphi technology
Anonymous feedback and response process, no discrimination based on the source of the idea
Quantitative Risk Analysis
step
exposure factor EF
Also called potential loss, expressed as a percentage, use internal data, perform statistical analysis, consult with the public, subscribe to a risk ledger/register, work with advisors, use risk management software
single loss expectation SLE
SLE = Asset Value (AV) * Exposure Factor (EF)
Annual Occurrence Rate ARO
Annual Expected Loss ALE
ALE=First Loss Expectation (SLE)*Annual Occurrence Rate (ARO)=AV*EF*ARO
risk response
Risk Mitigation (Reduction)
Implement safeguards, security controls, and security countermeasures to reduce or eliminate vulnerabilities or prevent threats
risk transfer
Shop for cybersecurity, insurance, outsourcing
risk deterrence
Implement audits, security cameras, warning banners, use security personnel
Risk Aversion
Select alternative
risk acceptance
accept loss
risk rejection
Deny or ignore risk
Total risk = threat * vulnerability * asset value Total risk - control gap = residual risk
Risk management is not a one-time event
Costs and Benefits of Security Controls
The value of the protective measure to the company = ALE before the protective measure is implemented - ALE after the protective measure is implemented - Annual cost of the protective measure ACS
ALE1-ALE2-ACS
The best security measures, the most cost-effective
Select and implement security countermeasures
Classification
Administrative controls
Includes: policies, procedures, hiring practices, background checks, data classification and labeling, security awareness and training, reporting and review, work supervision, personnel controls and testing
Logical/technical controls
Includes: authentication, encryption, restricted interfaces, access control lists, protocols, firewalls, routers, intrusion detection systems and threshold levels
physical control measures
subtopic
Applicable control types
preventive control
IPS
Deterrence control
Policies, security awareness training, locks, fences, security signs, security guards, access control foyers and security cameras
detection control
IDS
Compensation control
corrective control
restore control
Instruction control
Security Control Assessment
Evaluate individual mechanisms of the security infrastructure against baselines or reliability expectations
Can be used as a supplement to penetration testing or vulnerability assessment
Also available as a complete security assessment
Monitoring and Measurement
Risk reporting and documentation
Risk register contents
Identified risks
Assess the severity of these risks and prioritize them
Develop responses to reduce or eliminate risks
Track risk mitigation progress
keep improve
Risk Maturity Model (RMM) Assessment Enterprise Risk Management ERM Program
RMM level
initial level
Preparatory level
definition level
Common or standardized risk framework
Integrated level
Risk management operations are integrated into business processes
Optimization level
Goals
legacy risk
EOL
EOSL
risk framework
RMF risk management framework
Mandatory standards for federal agencies
There are six cyclical stages in RMF
Prepare from an organizational and system-level perspective by establishing the context and priorities for managing security and privacy risks Execute RMF
Classification Classifies systems and the information they process, store and transmit based on an analysis of the impact of the loss.
Selection Select an initial set of tetherings for the system and tailor the controls as necessary to reduce the risk to an acceptable water dry based on the risk assessment.
Implement Implement the control and describe how it will be used within the system and its operating environment.
Assessment Evaluate controls to determine whether controls are implemented correctly, operate as expected, and produce expected results that meet security and privacy requirements.
Authorization Authorizes systems or common controls based on a determination that risks to the organization's operations and assets, individuals, other organizations, and countries are acceptable.
Monitoring includes assessing control effectiveness, recording changes to systems and operating environments, conducting risk assessments and impact analyses, and reporting on the security and privacy status of systems
CSF Cyber Security Framework
Designed for infrastructure and commercial organizations
social engineering
The most effective way to defend against social engineering attacks
User education
awareness training
principle
authority
intimidation
consensus
scarcity
familiar
trust
urgency
getting information
preposition
Phishing
Spear phishing
phishing whale
SMS phishing
Voice Phishing
spam
shoulder peek
Invoice fraud
mischief
Counterfeiting and disguise
Tailgating and piggybacking
Trash search
identity fraud
Misprinted domain name
influence movement
hybrid warfare
social media
Establish and maintain security awareness, education and training programs
safety consciousness
Prerequisites for safety training
training
educate
Improve
Change the focus of goals, sometimes the individual, sometimes the customer, sometimes the organization
Change the order and focus of the subjects. One time it is social engineering, the next time it is equipment security, and the next time it is something else.
Various presentation methods
Through role-playing, let participants play attackers and defenders, allowing different people to provide ideas for coping with attack and defense.
Develop and encourage safety leaders
Gamification enhances and improves training
encouragement and punishment
Increase employee participation in training
increase understanding
Other improvements: Capture the flag exercises, simulated phishing, computer-based training (CBT) and role-based training
effectiveness assessment
Adopt new methods and techniques
regular
2-Exam key points
1. Understand that people are a critical element of safety
2. Understand the importance of job description
3. Understand the safety implications of hiring new employees
4. Understand onboarding and offboarding
5. Understand the principle of least privilege
6. Understand the need for non-disclosure agreements (NDA)
7. Understand employee supervision
8. Understand the necessity of compulsory leave
9. Understand UBA and UEBA
10. Understand personnel transfers
11. Explain appropriate termination strategies
12. Understand supplier, consultant and contractor controls
13. Understand policy compliance
14. Understand how privacy fits into the IT security landscape
15. Ability to define overall risk management
16. Understand risk analysis and related elements
17. Know how to assess threats
18. Understand Qualitative Risk Analysis
19.Understand Delphi technology
20. Understand quantitative risk analysis
21. Jess Exposure Factor (EF) Concept
22. Understand the meaning and calculation method of single loss expectation (SLE)
23. Understanding Annual Rate of Occurrence (ARO)
24. Understand the meaning and calculation of Annual Loss Expectation (ALE)
25. Understand the formula for evaluating protective measures
26. Understand how to handle risks
27. Explain total risk, participation risk and control gaps
28. Understand control types
29. Understand control types
30. Understand Security Control Assessment (SCA)
31. Understand safety health and measurement
32. Understand risk reporting
33. Understand the need for continuous improvement
34. Understand the risk maturity model
35. Understand Legacy Risks Security Risks
36. Understand the risk framework
37. Understand social engineering
38. Understand how to implement security awareness training, training and education
39. Get to know safety leaders
40. Understand gamification
41. Understand the need for regular content reviews and effectiveness assessments
Important exercises
1. Asset - anything used in a business process or task Threat - any potential event that could have adverse effects or unintended consequences on an organization or a specific asset Vulnerability - A weakness in an asset, or the weakness or absence of protective measures Exposed - Vulnerable to asset loss due to a threat, with the possibility that the vulnerability can or will be exploited Risk - the likelihood or probability that a threat will exploit a vulnerability to cause damage to an asset and the severity of the damage that may be caused
2. Security meetings focus on defining asset value, developing a list of threats, predicting the specific level of harm a breach would cause, and determining the number of times a threat could disrupt the company per year. What's this: A Qualitative Risk Assessment B Delphi technology C risk aversion D Quantitative Risk Assessment
Correct answer: D
3. Which of the following are valid risk definitions: A An assessment of probability, likelihood, or chance B Anything that eliminates a vulnerability or protects against one or more specific threats C risk = threat * vulnerability D each exposed instance E The existence of vulnerabilities in the presence of relevant threats
Correct answer: ACD
4. The company installs a new web application on a public web server. Hackers exploited the new code and gained access to data files hosted on the system. illustrate: A inherent risk B risk matrix C Qualitative assessment D residual risk
Correct answer: A Risks that exist before any risk management work is performed
5. The organization is looking for a new business partner who has defined several organizational security requirements that must be met before signing an SLA and Business Partner Agreement (BPA). One requires organizations to demonstrate implementation levels of a risk maturity model. Specifically, a common or standardized risk framework needs to be adopted. This level belongs to: A Preparatory Level B integrated level C definition level D optimization level
Correct answer: C Initial level - Chaos Preparatory level - initial attempt, may differ for each department Definition level - common, standard risk framework Integration level - risk management operations are integrated into business processes and risk is considered an element in strategic business decisions Optimization level - risk management focuses on achieving goals rather than just responding to threats, for business success rather than avoiding accidents, and can learn from experience and incorporate it into the risk management process
6. The Risk Management Framework (RMF) provides specifications for the management of security and privacy risks, including information security classification, control selection, implementation and evaluation, system and general control authorization, and a sequence of seven steps or stages. Which phase of RMF focuses on determining whether system or general controls are reasonable based on the risks to the organization's operations and assets, individuals, and their areas? A.Classification B.Authorization C.Evaluation D.Monitoring
Correct answer: B RME stage (0) is the authorization of systems or common controls based on a determination that risks to the organization's operations and assets, individuals, other organizations, and countries are acceptable (or reasonable). The stages of RMF include: (1) preparation, (2) classification, (3) selection, (4) implementation, (5) evaluation, (6) investment, and (7) monitoring. (A) is RMF stage (2), which refers to the classification of systems and the information processed, stored and transmitted by the system based on the analysis of the impact of the loss. (C) is RMF stage (5), which evaluates controls to determine whether they are implemented correctly, operating as expected, and producing expected results that meet security and privacy requirements. ①D) is the RMF stage (⑦), which continuously monitors the system and related controls, including evaluating control effectiveness, recording changes to the system and operating environment, conducting risk assessments and impact analyses, and reporting on the security and privacy status of the system.
7. Which of the following options can be classified as a social engineering attack? (Select all rows together.) A A user logs into their workstation and buys a soda from the vending machine in the stairwell. While that user is away from their workstation, another person sits down at their desk and copies all the files in the local folder to the network share. B You receive an email warning that a dangerous new disease is spreading on the Internet. This message advises you to find a specific file on your hard drive and delete it because it indicates the presence of a virus. Website C claims to provide free temporary access to its products and services, but requires you to change the configuration of your Web browser and/or firewall before you can download the access software. Secretary D received a call from a caller claiming to be a client who would have to meet with the CEO later. The caller asks for the CEO's private mobile phone number so that he or she can call the CEO.
Correct answer: BCD The activity described in option A is just taking advantage of the victim's opportunity to go away. It is an opportunistic access attack and is not a social engineering attack because there is no interaction with the victim. The activities described in options B (prank), C (phishing, prank, watering hole attack), and D (voice phishing) are all part of a social engineering attack.
8. Typically, __ is the member of the team who decides (or is assigned) the responsibility for applying and integrating security concepts into the team in work activities. __Often non-security personnel tasked with inspiring others to support and adopt more security practices and Responsibilities of conduct. A.Chief Information Security Officer B. Safety Leader C.Safety car meter D. Custodian
Correct answer: B The correct answer is safety leader. A safety leader is usually a member of a team who decides (or is encouraged) to apply and integrate safety concepts into the team's work activities. A safety leader is usually a non-security person who inspires others to support and adopt more safety practices. and behavioral responsibilities. None of the other options are correct. The CISO or Chief Security Officer defines and implements security throughout the organization. The Security Auditor manages security logs and reviews audit trails for signs of breaches. The asset is accepted from the owner and placed in an IT container that provides appropriate security according to the distribution specified by the owner.