Features
Features:

Product Tour >

Edraw AI >

Paid Plans:

Individuals >

Business >

Eduaction >
Resources
Blog

History

How-tos & Tips

Discovery

Biography

Business Analysis

Examples

AI concept Map

Free AI Mind Map Generator

Onenote Mind Map

Bcg Matrix Examples

Nike Marketing Strategy

Unilever SWOT Analysis

Make Mind Maps in Google Docs

Guide

FAQs

What's New

Resource Center
Templates
All Templates

Brain Storming Templates

Strategy and Planning Templates

Project Management Templates

Product Management Templates

Human Resources Templates

Agile Workflow Templates

Marketing Templates

Education Templates

Fun and Games Templates

User Gallery
Download
Pricing
Enterprise

MindMap Gallery [CISSP 9th Edition] Chapter 2 Concepts of Personnel Safety and Risk Management

[CISSP 9th Edition] Chapter 2 Concepts of Personnel Safety and Risk Management

This is a mind map about the concepts of personnel security and risk management in Chapter 2 of [CISSP 9th Edition], including personnel security policies and procedures, understanding and applying risk management concepts, social engineering, etc.

Edited at 2023-12-18 21:40:42

PlotWizard

Recent works View more works>>

[CISSP 9th Edition] Chapter 2 Concepts of Personnel Safety and Risk Management

PlotWizard

Recent works View more works>>

Recommended to you
Outline

Chapter 2 Concepts of Personnel Safety and Risk Management

2.1 Personnel Security Policies and Procedures

Job Description and Responsibilities

The process of recruiting new employees

Create a job description or position description

Set work level

Screen applicants

Recruit and train the best person for the job

Job responsibilities refer to the specific work tasks that employees regularly perform.

Job descriptions are not exclusive to the hiring process and they should be maintained throughout the life of the organization.

Candidate screening and recruitment

Screening of candidates for specific positions is based on multiple defined sensitivities and classification levels of the job description.

Background checks include

Obtain the candidate’s employment and educational background

Check references

Verify academic qualifications

Interview colleagues

Check police and government records regarding arrests or illegal activities

Verify identity with fingerprints, driver's license and birth certificate

Conduct personal interview

By reviewing an individual's online information, one can quickly glean an overall picture of an individual's attitude, intelligence, loyalty, common sense, diligence, honesty, respect, consistency, and compliance with social norms and/or corporate culture.

Conduct interviews with qualified job applicants

Onboarding: Employment Agreements and Strategies

Onboarding is the process of adding new employees to an organization

New employees will be provided with a computer/network user account

identity and access management

To ensure security, access rights should be assigned based on the principle of least privilege.

According to the principle of least privilege, users should be granted the minimum access rights necessary to complete job tasks or job responsibilities.

Sign employment agreement

Acceptable Use Policy (AUP)

nondisclosure agreement (NDA)

Employee supervision

Managers should periodically review or audit each employee's job description, job tasks, privileges, and responsibilities throughout an employee's employment.

For user behavior analytics (UBA)

For user and entity behavior analytics (UEBA)

Information collected by UBA/UEBA monitoring can be used to improve personnel safety policies, procedures, training and related safety oversight programs.

Separation, Transfer and Termination Process

Offboarding is the opposite process to onboarding, which means that after an employee leaves the company, their identity is deleted from the IAM system.

A complete offboarding process may include disabling or deleting user accounts, revoking credentials, revoking access codes, and terminating other specifically granted privileges.

During the termination process, it is important to have a strong relationship between the security department and the human resources (HR) department to maintain control and minimize risk.

Resignation security matters

Remove or disable an employee's user account at the same time or before the employee receives notice of termination

Ensure employees have returned their vehicles and any company equipment or supplies at home.

Have a security guard accompany or dismiss employees as they collect personal belongings in the work area.

Notify all security personnel, patrol personnel, or persons monitoring entrances and exits to ensure that former employees cannot re-enter the building without an escort.

Fired: Timing is everything

IT department asks for return of laptop

Disable network account

Personal identification number or smart card at the entrance to the shutdown office

Revoke parking permit

Distribute corporate restructuring chart

Place new employees in their cubicles or work areas

Allowing information about dismissal to be leaked to the media

Supplier, Consultant and Contractor Agreements and Controls

A Service Level Agreement (SLA) is a method of ensuring that an organization providing a service maintains appropriate service levels based on an agreement between the service provider, supplier or contractor, and the customer organization.

SLAs and controls of suppliers, consultants and contractors are an important part of risk reduction and avoidance.

Outsourcing is a term that generally refers to the use of an outside third party, such as a supplier, consultant, or contractor, rather than performing tasks or operations in-house.

Outsourcing can serve as a risk response option, becoming a transfer or assignment of risk.

Vendor Management System (VMS): VMS is a software solution that assists in the management and procurement of staffing services, hardware, software and other required products and services.

Compliance policy requirements

Compliance is the act of conforming to or adhering to rules, policies, regulations, standards or requirements

Compliance is an administrative or managerial form of security control

Compliance enforcement refers to sanctions or consequences imposed for failure to adhere to policies, training, best times, or regulations.

Compliance is also a regulatory issue.

Some definitions of privacy

Proactively protect against unauthorized access to personally identifiable information (i.e., data directly linked to an individual or organization), known as Personally Identifiable Information (PII).

Protect against unauthorized access to personal or confidential information.

To prevent being observed, monitored or inspected without consent or knowledge.

Personally identifiable information (PII)

Name

telephone number

email address

mailing address

social security number

IP address and MAC address (in Germany and other EU member states in certain cases)

PII is any data item that can be easily or obviously traced back to the original author or related person.

There are many legal and regulatory compliance issues when it comes to privacy.

U.S. privacy laws

Health Insurance Portability and Accountability Act (HIPAA)

Sarbanes-Oxley Act (SOX)

Family Education Rights and Privacy Act (FERPA)

Financial Services Modernization Act

EU privacy laws

General Data Protection Regulation (GDPR) (Regulation [EU] 2016/679)

2.2 Understand and apply risk management concepts

risk management concept

Risk management is a detailed process.

Identify factors that may cause damage or leakage of assets

Evaluate these factors against asset value and cost of controls

Implement cost-effective solutions to mitigate risk

The main goal of risk management is to reduce risk to an acceptable level.

Two Elements of Risk Management

Risk assessment or risk analysis: refers to examining the risks in the environment, assessing the likelihood of each threat event occurring and the losses caused if it actually occurs, and evaluating the costs of various risk control measures.

Risk response: includes using cost/benefit analysis to evaluate risk control measures, safeguards and security controls, adjusting the assessment results based on other conditions, concerns, priorities and resources, and making recommendations in a report to senior management response plan.

A concept related to risk management is risk awareness.

Risk awareness is the work undertaken to increase the perception of risk within an organization.

Risk awareness helps organizations understand the importance of complying with security policies and the consequences of security failures.

Risks to IT infrastructure are not limited to computers.

ACCIDENT

natural disaster

financial threats

civil unrest

epidemic

physical threat

technology utilization

social engineering

Risk terms and concepts

assets

Asset Valuation

Threat

Threat Agent/Agent

Threat event

Threat vector

vulnerability

exposure

risk

protective measures (safeguard)

attack

breach

Asset Valuation

Asset-based or asset-based risk analysis begins with an inventory of all organizational assets.

Once the inventory is completed, each asset needs to be valued.

Methods of Valuing Assets

purchase cost

Development costs

Administrative or management costs

maintenance or upkeep costs

Asset acquisition cost

The cost of protecting or maintaining an asset

Value to owners and users

value to competitors

Intellectual Property or Stock Value

Market valuation (sustainable price)

replacement cost

Increase or decrease in productivity

Operating costs of asset existence and loss

Asset damage liability

Practicality

Relationship with research and development

Identify threats and vulnerabilities

A fundamental part of risk management is identifying and examining threats.

Create a list of threats as exhaustive as possible for the organization's identified assets.

The threat list should include threat subjects as well as threat events.

When compiling a threat list, be sure to consider threats from various sources.

A detailed and formal list of threat examples, concepts, and classifications NIST SP 800-30 Rev.1

Appendix D "Threat Sources"

Appendix E "Threat Events"

Risk assessment and analysis should be performed by a team, not a single individual.

Risk assessment/analysis

Risk assessment/analysis is primarily the responsibility of senior management

Senior management is responsible for initiating and supporting risk analysis and assessment by defining the scope and objectives of the work.

Risk is individual, or at least organization-specific, based on its assets, threats, threat agents/threat subjects, and their risk tolerance

risk assessment methods

Quantitative risk analysis: based on mathematical calculations that use actual monetary values to calculate asset losses

Qualitative risk analysis: Representing asset losses in subjective and intangible terms and taking into account opinions, feelings, intuition, preferences, thoughts and gut reactions.

The goal of risk assessment is to identify risks (based on asset-threat combinations) and prioritize them by importance.

Mixing quantitative and qualitative analysis into an organization's final risk assessment process is called hybrid assessment or hybrid analysis

Qualitative risk analysis methods

Brainstorming

Storyboard

focus group

investigation

Questionnaire

Checklist

one-to-one meeting

interview

Scenes

Delphi technology

Quantitative risk analysis methods

Prepare an inventory of assets and assign an asset value (AV) to each asset

Research each asset and list all possible threats to each asset. Form asset-threat combinations

For each asset-threat combination, calculate the exposure factor (EF)

For each asset-threat combination, calculate single loss expectancy (SLE)

Perform a threat analysis and calculate the actual likelihood of each threat occurring within a year, known as the annualized rate of occurrence (ARO).

The total loss that each threat may bring is obtained by calculating the annualized loss expectancy (ALE).

Research the controls for each threat and then calculate changes in ARO, EF and ALE based on the controls in place

Conduct a cost/benefit analysis for every protection against every threat for every asset. Choose the most appropriate protection for each threat.

exposure factor (EF)

Single Loss Expectation (SLE)

Annual Rate of Occurrence (ARO)

Annual Loss Expectation (ALE)

Comparison of Quantitative Risk Analysis and Qualitative Risk Analysis (Figure)

risk response

risk mitigation

risk assignment

risk deterrence

risk avoidance

risk acceptance

risk rejection

Inherent risks Example: Firefighters are at greater risk of being hit by a fire than ordinary people, career decisions

residual risk

Total Risk Threat * Vulnerability * Asset Price = Total Risk

Control gap Total risk - Control gap = Residual risk

Costs and Benefits of Security Controls

For each asset-threat combination (i.e., identified risk), a list of possible and available protective measures must be compiled.

Factors influencing the annual cost of protective measures (ACS)

Purchase, development and licensing costs

Cost of implementation and customization

Annual operation, maintenance, management and other expenses

Cost of annual repairs and upgrades

Increase or decrease in productivity

changes in environment

Cost of testing and evaluation

Cost/benefit calculation formula for specific protective measures against specific risks for a specific asset

(ALE before protective measures are implemented - ALE when protective measures are implemented) - ACS

(ALE1 - ALE2) - ACS

Various formulas related to quantitative risk analysis

Select and implement security countermeasures

Applicable control types

Security Control Assessment

Monitoring and Measurement

Risk reporting and documentation

keep improve

risk framework

2.3 Social Engineering

Principles of social engineering

getting information

Phishing

Spear phishing

phishing whale

SMS phishing

Voice Phishing

Spam SMS

shoulder peek

Invoice fraud

mischief

Counterfeiting and disguise

Tailgating and piggybacking

Dumpster search

identity fraud

Misprinted domain name

influence movement

2.4 Establish and maintain security awareness, education and training programs

safety consciousness

training

educate

Improve

effectiveness assessment