Job responsibilities (Gob responsibilities) refer to the specific work tasks that employees regularly perform.

Job descriptions are not specific to the recruitment process and they should be maintained throughout the life of the organization

Screening of candidates for specific positions is based on sensitivity and classification levels as defined by the job description

Background checks include

By reviewing online information on an individual's social network, one can quickly glean an overall picture of an individual's attitude, intelligence, loyalty, common sense, diligence, honesty, respect, consistency, and compliance with social norms and/or corporate culture.

Conduct interviews with qualified job applicants

How to recruit satisfactory employees, you need to describe job responsibilities in detail

Onboarding is the process of adding new employees to an organization

Sign employment agreement

Non-disclosure agreement (NDA)

Non-competition Agreement (NCD)

Managers should periodically review or audit each employee’s job description, job tasks, privileges, and responsibilities throughout the employee’s employment

User behavior analytics (UBA)

User and entity behavior analytics (UEBA)

Information collected by UBA/UEBA monitoring can be used to improve personnel safety policies, procedures, training, and related safety oversight programs.

Offboarding is the opposite process of onboarding, which is when an employee leaves the company and their identity is removed from the IAM system

A complete resignation process: This may include disabling and/or deleting user accounts, revoking certificates, revoking access codes, and terminating other specifically granted privileges. It is common to disable a former employee's account so that their identity is retained for several months for audit purposes

During the termination process, it is important to have a strong relationship between the security department and the human resources (HR) department to maintain control and minimize risk.

Resignation security matters

Fired: Timing is everything

A Service Level Agreement (SLA) is a method of ensuring that an organization providing a service maintains appropriate service levels based on an agreement between the service provider, supplier or contractor, and the customer organization

SLAs and controls for suppliers, consultants and contractors are an important part of risk reduction and avoidance

Vendor Management System (VMS): VMS is a software solution that assists in the management and procurement of staffing services, hardware, software and other required products and services.

Outsourcing is a term that generally refers to the use of an outside third party, such as a supplier, consultant, or contractor, rather than performing tasks or operations in-house. Outsourcing can be a risk response option known as transfer or assignment risk

Compliance is the act of conforming to or adhering to rules, policies, regulations, standards or requirements

Compliance is an administrative or managerial form of security control

Compliance enforcement refers to the sanctions or consequences imposed for failure to comply with policies, training, best practices and/or regulations

Compliance is also a regulatory issue

Some definitions of privacy

Personally identifiable information (PII)

The European Union’s General Data Protection Regulation (GDPR) (Regulation [EU] 2016/679)

U.S. Privacy Laws and Regulations

Risk management is a detailed process

The main goal of risk management is to reduce risk to an acceptable level

Risks to IT infrastructure aren’t just about computers

Two basic elements of risk management

Risk awareness is the work carried out to increase the awareness of risks within an organization. Risk awareness helps the organization understand the importance of complying with security policies and the consequences of security failures.

risk tolerance

Asset: An asset can be anything used in a business process or task. The core is to protect assets and be cost-effective.

Asset Valuation: Asset valuation is the monetary value assigned to an asset based on a number of factors, including importance to the organization, usage in key processes, actual cost and non-monetary expenditures such as time, attention, productivity and R&D, etc.).

Threat: Any potential event that may occur and cause adverse or unexpected consequences to an organization or a specific asset is a threat

Threat Agent/Agent: A threat agent or threat actor purposefully exploits a vulnerability.

Threat Incidents: Threat incidents are accidental and intentional exploitation of vulnerabilities

Threat vector: Threat vector or attack vector refers to the path or means used by an attack or attacker to access a target in order to cause harm. External ones cannot be eliminated, such as hackers themselves cannot control it.

Vulnerability: Vulnerability is a weakness in an asset, a weakness in safeguards or controls, or a lack of safeguards or controls/controls, internal, and often creates a liability (technical or managerial)

Exposure: Exposure is the likelihood that a threat will cause damage to an asset

Risk: Risk is the likelihood or probability that a threat will exploit a vulnerability to cause damage to an asset and the severity of the damage that may be caused.

Safeguard: A safeguard, security control, protective mechanism or control is anything that eliminates or reduces a vulnerability, or protects against one or more specific threats.

Attack: An attack refers to a threat actor deliberately trying to exploit a vulnerability to cause asset damage, loss or leakage.

Breach: Breach, intrusion or penetration occurs when a security mechanism is bypassed or blocked by a threat actor

Risk analysis begins with an inventory of all organizational assets. Once the inventory is completed, each asset needs to be valued.

Annual cost of protective measures < Annual loss expectation of production

Methods of assessing value

A fundamental part of risk management is identifying and examining threats

This involves creating as exhaustive a list of threats as possible to the organization's identified assets. The list should include threat actors as well as threat events

When compiling a threat list, be sure to consider threats from a variety of sources.

A detailed and formal list of threat examples, concepts, and classifications

In most cases, it will be a team that performs the risk assessment and analysis

Risk assessment/analysis is primarily the responsibility of senior management

Senior management is responsible for initiating and supporting risk analysis and assessment by defining the scope and objectives of the work

Risk is individual, or at least organization-specific, based on its assets, threats, threat agents/threat subjects, and their risk tolerance.

risk assessment methods

The goal of risk assessment is to identify risks (based on asset-threat combinations) and prioritize them by importance

Mixing quantitative and qualitative analysis into an organization's final risk assessment process is called hybrid assessment or hybrid analysis

Qualitative risk analysis methods

Quantitative risk analysis methods

Risk mitigation, mitigation, reduction (risk mitigation): reducing risk or mitigating risk refers to implementing protective measures, security controls

Risk assignment: Risk assignment or risk transfer refers to transferring the losses caused by risks to another entity or organization.

Risk deterrence: Risk deterrence is the process of deterring potential violators of security and policy.

Risk avoidance: Risk avoidance is the process of selecting alternative options or activities that are less risky than the default, generic, expedient, or cheaper option. For example, choosing to fly to your destination (rather than drive there) is a way to avoid risk

Risk acceptance: Risk acceptance or risk tolerance is the result of a cost/benefit analysis showing that the cost of the control measures will exceed the potential losses caused by the risk.

Risk rejection: A response to an unacceptable but possible risk is to reject or ignore the risk.

Inherent risk (initial/starting risk): is the natural, native, or default level of risk that exists in an environment, system, or product before any risk management efforts are performed.

Residual risk: A risk that management chooses to accept rather than mitigate.

Total risk: refers to the total risk faced by the organization without implementing protective measures.

Control gap: refers to the risk reduced by implementing protective measures

For each asset-threat combination (i.e., identified risk), a list of possible and available protective measures must be compiled.

Factors influencing the annual cost of protective measures (ACS)

Cost/benefit calculation formula for specific protective measures against specific risks for specific assets

Various formulas related to quantitative risk analysis

Security controls, security countermeasures and protective measures can be administrative, logical/technical, or physical. These three security mechanisms should be implemented in a layered concept and a defense-in-depth approach to provide maximum benefits (see Figure 2.4). Three-pronged approach

Administrative controls: Policies and procedures specified in accordance with an organization's security policy and other regulations or requirements

Logical/technical controls: Measures include hardware or software mechanisms that manage access and provide security for IT resources and systems.

Physical controls: Security mechanisms designed to protect facilities and real-world objects

"Security control" refers to performing various control tasks

Preventive Controls: Deploying preventive controls to thwart or prevent unintended or unauthorized activities from occurring, beforehand

Deterrent controls: Deploy deterrent controls to prevent violations of security policies, beforehand

Detection controls: Deploy detection controls to detect or detect unexpected or unauthorized activity,

Compensating controls: Help enhance and support security policies by providing various options for other existing controls.

Corrective Controls: Small events that modify the environment to restore the system to a normal state from the occurrence of unanticipated or unauthorized activity. afterwards

Restorative Control: An extension of corrective control, but with more advanced and complex capabilities, after the fact

Instruction control: used to guide, limit or control the behavior of the subject to force or encourage the subject to comply with security policies

Security control assessment (SCA): A formal assessment of various mechanisms of a security infrastructure based on baselines or reliability expectations.

The goals of SCA are to ensure the effectiveness of security mechanisms, assess the quality and thoroughness of an organization's risk management processes, and generate reports on the strengths and weaknesses of the deployed security infrastructure.

Federal agencies implement SCA based on NIST SP 800-53 Rev.5 “Security and Privacy Controls for Information Systems and Organizations”

SCA is defined as a government process

The benefits provided by security controls should be monitorable and measurable

Risk reporting: includes preparing a risk report and presenting the report to stakeholders

Risk Register or Risk Log: is a risk inventory document that lists all identified risks within an organization or system or within a single project

Risk matrix or risk heat map: is a form of risk assessment performed on a basic graph or chart. It is sometimes called qualitative risk assessment

Test points: Who are the relevant parties and audiences to consider?

Test points: Consider the content of the report, improvement measures, or improvement suggestions

Security is constantly changing. Therefore, any implemented security solution will need to be updated over time.

Evaluate enterprise risk management (ERM) programs using the risk maturity model (RMM)

RMM level

Legacy equipment risks

A risk framework is a guide or methodology on how to assess, address and monitor risks

risk management framework (RMF)

Threat modeling in the design phase, security by design

Cybersecurity framework (CSF)

ISO/IEC 31000 "Risk Management - Guidance" document

Other frameworks

persuade someone to perform an unauthorized action

Convince someone to reveal confidential information.

Educate personnel on social engineering attacks and how to recognize common attack signatures.

Authentication is required when performing activities for people over the phone.

Defines restricted information that must never be communicated via text-only communications such as telephone calls or standard email.

Always verify the maintenance personnel's credentials and verify that an authorized person made the actual service call.

Never follow instructions from an email without verifying the information with at least two independent and trusted sources

Use caution when dealing with anyone you do not know or who does not know you, whether in person, over the phone or over the internet/online

The most important measure to defend against social engineering attacks is user education and awareness training

Authority: is an effective technique because most people are likely to respond submissively to authority. The key is to convince the target that the attacker is someone with valid internal or external permissions

Intimidation: can sometimes be seen as a derivative of the authority principle. Intimidation uses authority, trust, or even the threat of harm to push someone to carry out an order or instruction

Consensus: or social proof is the act of tapping into a person's natural tendencies. People tend to imitate what others are doing or have done in the past

Scarcity: is a technique used to make someone estimate that an object is of higher value because of its scarcity. This may be related to products that are only produced in small quantities or with limited opportunities, or it may be related to the few products that remain after most of the inventory has been sold.

Familiarity: or liking is a social engineering principle that attempts to exploit a person's inherent trust in familiar things.

Trust: In this social engineering principle, the attacker strives to build a relationship with the victim.

Urgency: Often associated with scarcity, as scarcity represents a greater risk of missing out, so the need to act quickly increases.

Obtaining information is the activity of collecting or aggregating information from systems or people.

A preposition is a term, expression, or phrase added to the beginning or title of other communications. Prepositions are often used to further refine or establish a pretext for engineered attacks, such as spam, hoaxes, and phishing

Phishing is a form of engineering attack that focuses on stealing credentials or identity from any potential target.

Drive-by downloads: When users visit a website, malware is installed without their knowledge. Drive-by downloads exploit vulnerabilities in browsers or plug-ins

Defensive measures against phishing

Spear phishing is a more targeted form of phishing, where messages are crafted specifically to target a specific group of users

Protect against spear phishing

Whaling is a variation of spear phishing that targets specific high-value individuals (by title, industry, media reports, etc.) such as CEOs and other C-level executives Manager, administrator or high net worth client

Short Message Service (SMS) phishing or smishing is a social engineering attack that occurs on or through standard text messaging services

Vishing (i.e., voice-based phishing) or SplT (Internet Telephone Spam) is phishing carried out through any telephone or voice communication system.

Way

Spam is any type of unwanted and/or unsolicited email

Shoulder surfing is a type of social engineering attack that typically occurs in the real world or face-to-face.

Shoulder surfing occurs when someone is able to see a user's keyboard or monitor.

An invoice scam is a social engineering attack that typically involves providing a false invoice and then strongly enticing payment in an attempt to steal funds from an organization or individual.

A hoax is a form of social engineering designed to cause a target to perform actions that will cause problems or degrade their IT security.

Impersonation is the act of assuming someone else's identity

You can log in via personal, phone, email, or person's account or through any other means of communication. Impersonation can also be called disguise, deception, or even identity fraud

Tailing occurs when an unauthorized entity uses the authorization of a legitimate employee to enter a facility without the employee's knowledge.

A problem similar to tailing is piggybacking. Piggybacking occurs when an unauthorized entity obtains a victim's consent through deception and enters a facility with the authorization of legitimate staff

Decoys are when attackers place USB drives, discs, or even wallets in locations where employees may encounter them.

Available double doors to prevent

Dumpster diving is the act of digging through trash, abandoned equipment, or abandoned sites to obtain information about a target organization or individual

Typical collections include old calendars, call sheets, handwritten meeting minutes, discard forms, product boxes, user manuals, post-it notes, printed reports, or printer test sheets.

Identity theft and identity fraud refer to all types of crimes that involve unlawfully obtaining and using another person's personal data in a fraudulent or deceptive manner, usually for financial gain

Fraud: Calling something false true. Identity fraud is when you falsely claim to be someone else by using information stolen from the victim

Deception: refers to any act of concealing a valid identity, This is usually accomplished by using another identity.

Typo squatting is the practice of capturing and redirecting traffic when a user incorrectly enters the domain name or 1P address of a target resource.

Wrong spelling of domain name

URL hijacking

An influence campaign is a social engineering attack that attempts to guide, shape, or change public opinion. Hackers may launch such attacks against individuals or organizations, but most influence campaigns appear to be conducted by nation-states against their real or perceived external enemies.

hybrid warfare

social media

A prerequisite for implementing safety training is establishing safety awareness. The goal of building security awareness is to get users to put security first and recognize this

All personnel should be fully aware of their own safety responsibilities and obligations. They are trained to know what to do and what not to do.

Training refers to teaching employees to perform their job tasks and follow security policies. Training is usually organized by the organization and is targeted at groups of employees with similar job functions.

Education is a more detailed work where students/users learn much more than they actually need to know to complete their job tasks

Change the focus of training objectives. Sometimes the focus is on the individual, sometimes on the customer, sometimes on the organization.

Change the order or focus of training topics. You can focus one training on social engineering, the next on mobile security, and the next on home and travel security.

Use a variety of presentation methods, such as live presentations, pre-recorded videos, computer software/simulation software, virtual reality (VR) experiences, off-site training, interactive websites, or assigned readings from prepared courseware or ready-made books

Through role-playing, participants play attackers and defenders, and different people are allowed to provide ideas related to defense or response to an attack.

It is important that all training materials undergo regular content reviews. Reviews help ensure training materials and presentations are aligned with business goals, organizational mission, and security goals

The most effective way to detect and evaluate social work