D1/Ch2: Personnel Security and Risk Management
Risk Management Framework (RMF) (6 Steps per NIST SP 800-37)
1. Categorize the information system and the information processed, stored, and transmitted by that system based on an impact analysis. 2. Select an initial set of baseline security controls for the information system based on the security categorization; tailoring and supplementing the security control baseline as needed based on an organizational assessment of risk and local conditions. 3. Implement the security controls and describe how the controls are employed within the information system and its environment of operation. 4. Assess the security controls using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. 5. Authorize information system operation based on a determination of the risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation of the information system and the decision that this risk is acceptable. 6. Monitor the security controls in the information system on an ongoing basis including assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to designated organizational officials."
7 Applicable Control Types (to secure personnel)
1. Deter - (policies, security awareness training, badges, guards, mantraps) 2. Prevent - (fences, lock, biometrics, lighting, alarms, IDS, IPS) 3. Detect - (CCTV, job rotation, audits, mandatory vacation, etc.) 4. Compensate - (supports/enforces policy) 5. Correct - (reboot a system, terminate malicious software) 6. Recover - (backups, restores, imaging) 7. Direct - (direct, define, control, give directive)
The 6 major steps/phases in quantitative risk analysis
1. Inventory assets, and assign a value (asset value, or AV). (Asset value is detailed further in a later section of this chapter named "Asset Valuation.") 2. Research each asset, and produce a list of all possible threats of each individual asset. For each listed threat, calculate the exposure factor (EF) and single loss expectancy (SLE). 3. Perform a threat analysis to calculate the likelihood of each threat being realized within a single year—that is, the annualized rate of occurrence (ARO). 4. Derive the overall loss potential per threat by calculating the annualized loss expectancy (ALE). 5. Research countermeasures for each threat, and then calculate the changes to ARO and ALE based on an applied countermeasure. 6. Perform a cost/benefit analysis of each countermeasure for each threat for each asset. Select the most appropriate response to each threat.
3 Categories of Security Control Mechanisms for Defense-In-Depth
1. Physical Controls V 2. Logical/Technical Controls V 3. Administrative Controls V *All lead to control over Assets
Service Level Agreement (SLA)
A negotiated agreement between the customer and the vendor. The SLA may specify the levels of availability, serviceability, performance, operation, or other commitment requirements.
Risk Framework
A risk framework is a guideline or recipe for how risk is to be assessed, resolved, and monitored. The primary example of a risk framework referenced by the CISSP exam is that defined by NIST in Special Publication 800-37
Security Control Assessment
A security control assessment (SCA) is the formal evaluation of a security infrastructure's individual mechanisms against a baseline or reliability expectation. The SCA can be performed in addition to or independently of a full security evaluation, such as a penetration test or vulnerability assessment. The goals of an SCA are to ensure the effectiveness of the security mechanisms, evaluate the quality and thoroughness of the risk management processes of the organization, and produce a report of the relative strengths and weaknesses of the deployed security infrastructure. Generally, an SCA is a process implemented by federal agencies based on the NIST Special Publication 800-53A titled "Guide for Assessing the Security Controls in Federal Information Systems"
Administrative Controls
Administrative controls are the policies and procedures defined by an organization's security policy and other regulations or requirements. They are sometimes referred to as management controls.
ACS
Annual Cost of Safeguard
ALE
Annualized Loss Expectancy
Qualitative Risk Analysis Techniques
Brainstorming Delphi technique Storyboarding Focus groups Surveys Questionnaires Checklists One-on-one meetings Interviews
Collusion
Collusion is the occurrence of negative activity undertaken by two or more people, often for the purposes of fraud, theft, or espionage. By limiting the powers of individuals, separation of duties requires employees to work with others to commit larger violations. The act of finding others to assist in a violation and then the actions to perform that violation are more likely to leave behind evidence and be detectible, which directly reduces the occurrence of collusion
Job Rotation
Job rotation, or rotating employees among multiple job positions, is simply a means by which an organization improves its overall security. Job rotation serves two functions. First, it provides a type of knowledge redundancy. Second, moving personnel around reduces the risk of fraud, data modification, theft, sabotage, and misuse of information.
Physical Controls
Physical controls are items you can physically touch. They include physical mechanisms deployed to prevent, monitor, or detect direct contact with systems or areas within a facility.
Privilege Creep
Privilege creep occurs when workers accumulate privileges over time as their job responsibilities change. The end result is that a worker has more privileges than the principle of least privilege would dictate based on that individual's current job responsibilities.
Qualitative Risk Analysis
Qualitative risk analysis assigns subjective and intangible values to the loss of an asset.
2 Risk Assessment Methodologies
Quantitative Risk Analysis ($) Qualitative Risk Analysis (Reputation, Cx Confidence, Workforce Stability, etc.)
Quantitative Risk Analysis
Quantitative risk analysis assigns real dollar figures to the loss of an asset.
Risk Responses
Reduce or mitigate Assign or transfer Accept Deter Avoid Reject or ignore
Formula for Residual Risk
Residual Risk = Total Risk - Controls Gap
Risk Management
Risk management is a detailed process of identifying factors that could damage or disclose data, evaluating those factors in light of data value and countermeasure cost, and implementing cost-effective solutions for mitigating or reducing risk. The overall process of risk management is used to develop and implement information security strategies. The goal of these strategies is to reduce risk and to support the mission of the organization. The primary goal of risk management is to reduce risk to an acceptable level.
Formula for Safeguard Evaluation
SE = (ALE1 - ALE2) - ACS
SE
Safeguard Evaluation
Security Governance
Security governance is the collection of practices related to supporting, defining, and directing the security efforts of an organization
Separation of Duties
Separation of duties is the security concept in which critical, significant, and sensitive work tasks are divided among several individual administrators or high-level operators This prevents any one person from having the ability to undermine or subvert vital security mechanisms. Think of separation of duties as the application of the principle of least privilege to administrators. Separation of duties is also a protection against collusion.
Technical/Logical Controls
Technical or logical controls involve the hardware or software mechanisms used to manage access and to provide protection for resources and systems.
Delphi Technique
The Delphi technique is simply an anonymous feedback-and-response process used to enable a group to reach an anonymous consensus. Its primary purpose is to elicit honest and uninfluenced responses from all participants.
Formula for finding the Controls Gap
The difference between total risk and residual risk is known as the controls gap. Controls Gap = total risk - residual risk
Non-Compete Agreement (NCA)
The noncompete agreement attempts to prevent an employee with special knowledge of secrets from one organization from working in a competing organization in order to prevent that second organization from benefiting from the worker's special knowledge of secrets.
Principle of Least Privilege
The principle of least privilege states that in a secured environment, users should be granted the minimum amount of access necessary for them to complete their required work tasks or job responsibilities. True application of this principle requires low-level granular control over all resources and functions.
Risk Analysis
The process by which the goals of risk management are achieved is known as risk analysis.
Cost-Benefit Analysis (CBA)
The result of a Risk Analysis
Third Party Governance
Third-party governance is the system of oversight that may be mandated by law, regulation, industry standards, contractual obligation, or licensing requirements. The actual method of governance may vary, but it generally involves an outside investigator or auditor. Third-party governance focuses on verifying compliance with stated security objectives, requirements, regulations, and contractual obligations. On-site assessments can provide firsthand exposure to the security mechanisms employed at a location. Ex: 3rd Party Audits are a good example of Third Party Governance.
Formula for Total Risk
Total Risk = Threats x Vulnerabilities x Asset Value
Non Disclosure Agreement (NDA)
nondisclosure agreement (NDA). An NDA is used to protect the confidential information within an organization from being disclosed by a former employee. When a person signs an NDA, they agree not to disclose any information that is defined as confidential to anyone outside the organization. Violations of an NDA are often met with strict penalties.
