Ch. 2- Personnel Security and Risk Management Concepts
Goal of the Security Control Assessment (SCA)
1. Ensure the effectiveness of the security mechanisms 2. Evaluate the quality and thoroughness of the risk management processes of the organization 3. Produce a report of the relative strengths and weaknesses of the deployed security infrastructure
Risk Rejection
A final but unacceptable possible response to risk
D. A portion of the documentation review is the logical and practical investigation of business processes and organizational policies.
A portion of the __________ is the logical and practical investigation of business processes and organizational policies. This process/policy review ensures that the stated and implemented business tasks, systems, and methodologies are practical, efficient, and cost-effective, but most of all (at least in relation to security governance) that they support security through the reduction of vulnerabilities and the avoidance, reduction, or mitigation of risk. A. Hybrid assessment B. Risk aversion process C. Countermeasure selection D. Documentation review
NIST SP 800-53A: Guide for Assessing the Security Controls in Federal Information Systems
An SCA is a process implemented by federal agencies based on what publication?
annual costs asset loss
As a rule of asset valuation and reporting, the __________ __________ of safeguards should not exceed __________ __________ of asset loss.
Quantitative Risk Analysis
Assigns real dollar figures to the loss of an asset
Qualitative Risk Analysis
Assigns subjective and intangible values to the loss of an asset
job descriptions
Crafting __________ __________ is the first step in defining security needs related to personnel and being able to seek out new hires.
cost/benefit analysis
Determines whether a safeguard actually improves security without costing too much.
(ALE1-ALE2)-ACS= Value of the safeguard
Formula to calculate CBA
total risk - controls gap = residual risk
Formula to calculate residual risk
ALE before safeguard - ALE after implementing the safeguard - annual cost of safeguard (ACS) = value of the safeguard to the company [ALE1-AlE2-ACS]
Formula to calculate safeguard for Cost/Benefit
threats * vulnerabilities * asset value = total risk (Note that the * here does not imply multiplication, but a combination function; this is not a true mathematical formula.)
Formula to calculate total risk.
B. SLE is calculated using the formula SLE = asset value ($) * exposure factor (SLE = AV * EF).
How is single loss expectancy (SLE) calculated? A. Threat + vulnerability B. Asset value ($) * exposure factor C. Annualized rate of occurrence * vulnerability D. Annualized rate of occurrence * asset value * exposure factor
A. The value of a safeguard to an organization is calculated by ALE before safeguard - ALE after implementing the safeguard - annual cost of safeguard [(ALE1 - ALE2) - ACS].
How is the value of a safeguard to a company calculated? A. ALE before safeguard - ALE after implementing the safeguard - annual cost of safeguard B. ALE before safeguard * ARO of safeguard C. ALE after implementing safeguard + annual cost of safeguard - controls gap D. Total risk - controls gap
B. Third-party governance is the application of security oversight on third parties that your organization relies on.
If an organization contracts with outside entities to provide key business functions or services, such as account or technical support, what is the process called that is used to ensure that these entities support sufficient security? A. Asset identification B. Third-party governance C. Exit interview D. Qualitative analysis
mandatory
In many secured environments, these types of vacations of one to two weeks are used to audit and verify the work tasks and privileges of employees. The vacation removes the employee from the work environment and places a different worker in their position, which makes it easier to detect abuse, fraud, or negligence on the part of the original employee.
Job Descriptions
Map to specifically assigned responsibilities and tasks.
Exposure Factor (EF)
Represents the percentage of loss that an organization would experience if a specific asset were violated by a realized risk. It can also be called the loss potential.
value
The _________ of an asset directly affects and guides the level of safeguards and security deployed to protect it.
Total Risk
The amount of risk an organization would face if no safeguards were implemented.
Exit Interview
The primary purpose of this, is to review the liabilities and restrictions placed on the former employee based on the employment agreement, nondisclosure agreement, and any other security-related documentation.
Risk Analysis
The process by which the goals of risk management are achieved. It includes examining an environment for risks, evaluating each threat event as to its likelihood of occurring and the cost of the damage it would cause if it did occur, assessing the cost of various countermeasures for each risk, and creating a cost/benefit report for safeguards to present to upper management.
1. Assign Asset Value (AV) 2. Calculate Exposure Factor (EF) 3. Calculate Single Loss Expectancy (SLE) 4. Assess the Annualized Rate of Occurrence (ARO) 5. Derive the Annualized Loss Expectancy (ALE) 6. Perform Cost/Benefit Analysis of Countermeasures
The six major elements of quantitative risk analysis
Vulnerability
The weakness in an asset or the absence or the weakness of a safeguard or countermeasure. In other words, it's a flaw, loophole, oversight, error, limitation, frailty, or susceptibility in the IT infrastructure or any other aspect of an organization. If it's exploited, loss or damage to assets can occur.
Threat Events
These are accidental and intentional exploitations of vulnerabilities. They can also be natural or man-made. They include fire, earthquake, flood, system failure, human error (due to a lack of training or ignorance), and power outage.
Threats
These are any action or inaction that could cause damage, destruction, alteration, loss, or disclosure of assets or that could block access to or prevent maintenance of assets. They can be large or small and result in large or small consequences. They can be intentional or accidental. They can originate from people, organizations, hardware, networks, structures, or nature.
Job Responsibilities
These are the specific work tasks an employee is required to perform on a regular basis. Depending on these, employees require access to various objects, resources, and services.
Threat Agent
These intentionally exploit vulnerabilities. They are usually people, but they could also be programs, hardware, or systems.
Noncompete Agreement (NCA)
This attempts to prevent an employee with special knowledge of secrets from one organization from working in a competing organization in order to prevent that second organization from benefiting from the worker's special knowledge of secrets. These are also used to prevent workers from jumping from one company to another competing company just because of salary increases or other incentives.
Residual Risk
This comprises threats to specific assets against which upper management chooses not to implement a safeguard.
Recovery Controls
This control is an extension of corrective controls but have more advanced or complex abilities.
Directive Control
This control is deployed to direct, confine, or control the actions of subjects to force or encourage compliance with security policies.
Deterrent Control
This control is deployed to discourage violation of security policies.
Detective Control
This control is deployed to discover or detect unwanted or unauthorized activity. They operate after the fact and can discover the activity only after it has occurred.
Compensation Control
This control is deployed to provide various options to other existing controls to aid in enforcement and support of security policies. They can be any controls used in addition to, or in place of, another control.
Preventive Control
This control is deployed to thwart or stop unwanted or unauthorized activity from occurring.
Corrective Controls
This control modifies the environment to return systems to normal after an unwanted or unauthorized activity has occurred. It attempts to correct any problems that occurred as a result of a security incident.
Physical Controls
This countermeasure consists of items you can physically touch. They include physical mechanisms deployed to prevent, monitor, or detect direct contact with systems or areas within a facility.
Technical/Logical Controls
This countermeasure involves the hardware or software mechanisms used to manage access and to provide protection for resources and systems.
Administrative Controls
This countermeasure involves the policies and procedures defined by an organization's security policy and other regulations or requirements.
Employment Agreement
This document outlines the rules and restrictions of the organization, the security policy, the acceptable use and activities policies, details of the job description, violations and consequences, and the length of time the position is to be filled by the employee.
Background Check
This includes obtaining a candidate's work and educational history; checking references; verifying education; interviewing colleagues, neighbors, and friends; checking police and government records for arrests or illegal activities; verifying identity through fingerprints, driver's license, and birth certificate; and holding a personal interview. This process could also include a polygraph test, drug testing, and personality testing/evaluation.
Risk Reporting
This involves the production of a risk report and a presentation of that report to the interested/relevant parties. It is a key task to perform at the conclusion of a risk analysis.
Risk Management
This is a detailed process of identifying factors that could damage or disclose data, evaluating those factors in light of data value and countermeasure cost, and implementing cost-effective solutions for mitigating or reducing risk.
Asset Valuation
This is a dollar value assigned to an asset based on actual cost and non-monetary expenses. These can include costs to develop, maintain, administer, advertise, support, repair, and replace an asset; they can also include more elusive values, such as public confidence, industry support, productivity enhancement, knowledge equity, and ownership benefits.
Risk Framework
This is a guideline or recipe for how risk is to be assessed, resolved, and monitored.
Scenario
This is a written description of single major threat.
Safeguards
This is anything that removes or reduces a vulnerability or protects against one or more specific threats.
Asset
This is anything within an environment that should be protected. It is anything used in a business process or task. If an organization places any value on an item under its control and deems that item important enough to protect, it is labeled this for the purposes of risk management and analysis.
Exposure
This is being susceptible to asset loss because of a threat; there is the possibility that a vulnerability can or will be exploited by a threat agent or event.
Cross-training
This is often discussed as an alternative to job rotation. In both cases, workers learn the responsibilities and tasks of multiple job positions. However, with this, the workers are just prepared to perform the other job positions; they are not rotated through them on a regular basis.
Delphi Technique
This is simply an anonymous feedback-and-response process used to enable a group to reach an anonymous consensus. Its primary purpose is to elicit honest and uninfluenced responses from all participants. The participants are usually gathered into a single meeting room. To each request for feedback, each participant writes down their response on paper anonymously. The results are compiled and presented to the group for evaluation. The process is repeated until a consensus is reached.
Compliance
This is the act of conforming to or adhering to rules, policies, regulations, standards, or requirements.
Security Governance
This is the collection of practices related to supporting, defining, and directing the security efforts of an organization. It is closely related to and often intertwined with corporate and IT governance.
Penetration
This is the condition in which a threat agent has gained access to an organization's infrastructure through the circumvention of security controls and is able to directly imperil assets.
Single Loss Expectancy (SLE)
This is the cost associated with a single realized risk against a specific asset. It indicates the exact amount of loss an organization would experience if an asset were harmed by a specific threat occurring.
Annualized Rate of Occurrence (ARO)
This is the expected frequency with which a specific threat or risk will occur (that is, become realized) within a single year. It can range from a value of 0.0 (zero), indicating that the threat or risk will never be realized, to a very large number, indicating that the threat or risk occurs often.
Attack
This is the exploitation of a vulnerability by a threat agent. In other words, it is any intentional attempt to exploit a vulnerability of an organization's security infrastructure to cause damage, loss, or disclosure of assets. It can also be viewed as any violation or failure to adhere to an organization's security policy.
Security Control Assessment (SCA)
This is the formal evaluation of a security infrastructure's individual mechanisms against a baseline or reliability expectation. It can be performed in addition to or independently of a full security evaluation, such as a penetration test or vulnerability assessment.
Risk Mitigation
This is the implementation of safeguards and countermeasures to eliminate vulnerabilities or block threats.
Breach
This is the occurrence of a security mechanism being bypassed or thwarted by a threat agent.
Collusion
This is the occurrence of negative activity undertaken by two or more people, often for the purposes of fraud, theft, or espionage.
Risk Assignment
This is the placement of the cost of loss a risk represents onto another entity or organization.
Risk
This is the possibility or likelihood that a threat will exploit a vulnerability to cause harm to an asset. It is an assessment of probability, possibility, or chance.
Annualized Loss Expectancy (ALE)
This is the possible yearly cost of all instances of a specific realized threat against a specific asset.
Onboarding
This is the process of adding new employees to the identity and access management (IAM) system of an organization. This process is also used when an employee's role or position changes or when that person is awarded additional levels of privilege or access.
Risk Deterrence
This is the process of implementing deterrents to would-be violators of security and policy.
Documentation Review
This is the process of reading the exchanged materials and verifying them against standards and expectations. It's typically performed before any on-site inspection takes place. If the exchanged documentation is sufficient and meets expectations (or at least requirements), then an on-site review will be able to focus on compliance with the stated documentation.
Risk Avoidance
This is the process of selecting alternate options or activities that have less associated risk than the default, common, expedient, or cheap option.
Offboarding
This is the removal of an employee's identity from the IAM system once that person has left the organization. This can include disabling and/or deleting the user account, revoking certificates, canceling access codes, and terminating other specifically granted privileges. This may also include informing security guards and other physical access management personnel to disallow entry into the building to the person in the future.
Risk Acceptance
This is the result after a cost/benefit analysis shows countermeasure costs would outweigh the possible cost of loss due to a risk. It also means that management has agreed to accept the consequences and the loss if the risk is realized.
Separation of Duties
This is the security concept in which critical, significant, and sensitive work tasks are divided among several individual administrators or high-level operators. This prevents any one person from having the ability to undermine or subvert vital security mechanisms.
Third-Party Governance
This is the system of oversight that may be mandated by law, regulation, industry standards, contractual obligation, or licensing requirements.
Service Level Agreement (SLA)
This is to ensure that organizations providing services to internal and/or external customers maintain an appropriate level of service agreed on by both the service provider and the vendor.
Nondisclosure Agreement (NDA)
This is used to protect the confidential information within an organization from being disclosed by a former employee. When a person signs this, they agree not to disclose any information that is defined as confidential to anyone outside the organization. Violations of this agreement are often met with strict penalties.
Job Rotation
This means rotating employees among multiple job positions, is simply a means by which an organization improves its overall security. It serves two functions. First, it provides a type of knowledge redundancy. Second, moving personnel around reduces the risk of fraud, data modification, theft, sabotage, and misuse of information.
Privilege Creep
This occurs when workers accumulate privileges over time as their job responsibilities change. The end result is that a worker has more privileges than the principle of least privilege would dictate based on that individual's current job responsibilities.
Security Control
This refers to a broad range of controls that perform such tasks as ensuring that only authorized users can log on and preventing unauthorized users from gaining access to resources.
Principles of Least Privilege
This states that in a secured environment, users should be granted the minimum amount of access necessary for them to complete their required work tasks or job responsibilities. True application of this principle requires low-level granular control over all resources and functions.
Roles
Typically align to a rank or level of privilege.
Annualized Loss Expectancy (ALE) = Single Loss Expectancy (SLE) * Annualized Rate of Occurence (ARO) or ALE = SLE * ARO
What is the formula for Annualized Loss Expectancy (ALE)?
Single Loss Expectancy (SLE) = Asset Value (AV) * Exposure Factor (EF) or SLE = AV * EF
What is the formula for Single Loss Expectancy (SLE)?
risk = threat * vulnerability
What is the formula to calculate risk?
C. Training is teaching employees to perform their work tasks and to comply with the security policy. Training is typically hosted by an organization and is targeted to groups of employees with similar job functions.
What process or event is typically hosted by an organization and is targeted to groups of employees with similar job functions? A. Education B. Awareness C. Training D. Termination
C. The likelihood that a co-worker will be willing to collaborate on an illegal or abusive scheme is reduced because of the higher risk of detection created by the combination of separation of duties, restricted job responsibilities, and job rotation.
What security control is directly focused on preventing collusion? A. Principle of least privilege B. Job descriptions C. Separation of duties D. Qualitative risk analysis
A. A vulnerability is the absence or weakness of a safeguard or countermeasure.
When a safeguard or a countermeasure is not present or is not sufficient, what remains? A. Vulnerability B. Exposure C. Risk D. Penetration
B. You should remove or disable the employee's network user account immediately before or at the same time they are informed of their termination.
When an employee is to be terminated, which of the following should be done? A. Inform the employee a few hours before they are officially terminated. B. Disable the employee's network access just as they are informed of the termination. C. Send out a broadcast email informing everyone that a specific employee is to be terminated. D. Wait until you and the employee are the only people remaining in the building before announcing the termination.
C. The annual costs of safeguards should not exceed the expected annual cost of asset loss.
When evaluating safeguards, what is the rule that should be followed in most cases? A. The expected annual cost of asset loss should not exceed the annual costs of safeguards. B. The annual costs of safeguards should equal the value of the asset. C. The annual costs of safeguards should not exceed the expected annual cost of asset loss. D. The annual costs of safeguards should not exceed 10 percent of the security budget.
A. The first step in hiring new employees is to create a job description. Without a job description, there is no consensus on what type of individual needs to be found and hired.
When seeking to hire new employees, what is the first step? A. Create a job description. B. Set position classification. C. Screen candidates. D. Request résumés.
B. The primary purpose of an exit interview is to review the nondisclosure agreement (NDA) and other liabilities and restrictions placed on the former employee based on the employment agreement and any other security-related documentation.
Which of the following is a primary purpose of an exit interview? A. To return the exiting employee's personal belongings B. To review the nondisclosure agreement C. To evaluate the exiting employee's performance D. To cancel the exiting employee's network access accounts
B. Anything that removes a vulnerability or protects against one or more specific threats is considered a safeguard or a countermeasure, not a risk.
Which of the following is not a valid definition for risk? A. An assessment of probability, possibility, or chance B. Anything that removes a vulnerability or protects against one or more specific threats C. Risk = threat * vulnerability D. Every instance of exposure
C. Risk analysis includes analyzing an environment for risks, evaluating each threat event as to its likelihood of occurring and the cost of the damage it would cause, assessing the cost of various countermeasures for each risk, and creating a cost/benefit report for safeguards to present to upper management. Selecting safeguards is a task of upper management based on the results of risk analysis. It is a task that falls under risk management, but it is not part of the risk analysis process.
Which of the following is not an element of the risk analysis process? A. Analyzing an environment for risks B. Creating a cost/benefit report for safeguards to present to upper management C. Selecting appropriate safeguards and implementing them D. Evaluating each threat event as to its likelihood of occurring and cost of the resulting damage
A. Managing the security function often includes assessment of budget, metrics, resources, and information security strategies, and assessing the completeness and effectiveness of the security program.
Which of the following is not specifically or directly related to managing the security function of an organization? A. Worker job satisfaction B. Metrics C. Information security strategies D. Budget
D. Regardless of the specifics of a security solution, humans are the weakest element.
Which of the following is the weakest element in any security solution? A. Software products B. Internet connections C. Security policies D. Humans
A. Threat events are accidental or intentional exploitations of vulnerabilities.
Which of the following represents accidental or intentional exploitations of vulnerabilities? A. Threat events B. Risks C. Threat agents D. Breaches
C. Risks to an IT infrastructure are not all computer based. In fact, many risks come from noncomputer sources. It is important to consider all possible risks when performing risk evaluation for an organization. Failing to properly evaluate and respond to all forms of risk, a company remains vulnerable.
Which of the following statements is not true? A. IT security can provide protection only against logical or technical attacks. B. The process by which the goals of risk management are achieved is known as risk analysis. C. Risks to an IT infrastructure are all computer based. D. An asset is anything used in a business process or task.
D. The personal files of users are not usually considered assets of the organization and thus are not considered in a risk analysis.
Which of the following would generally not be considered an asset in a risk analysis? A. A development process B. An IT infrastructure C. A proprietary system resource D. Users' personal files
B. The threat of a fire and the vulnerability of a lack of fire extinguishers lead to the risk of damage to equipment.
While performing a risk analysis, you identify a threat of fire and a vulnerability because there are no fire extinguishers. Based on this information, which of the following is a possible risk? A. Virus infection B. Damage to equipment C. System malfunction D. Unauthorized access to confidential information
D. A countermeasure directly affects the annualized rate of occurrence, primarily because the countermeasure is designed to prevent the occurrence of the risk, thus reducing its frequency per year.
You've performed a basic quantitative risk analysis on a specific threat/vulnerability/risk relation. You select a possible countermeasure. When performing the calculations again, which of the following factors will change? A. Exposure factor B. Single loss expectancy (SLE) C. Asset value D. Annualized rate of occurrence
