Chapter 2 - Personnel Security and Risk Management Concepts

What are the major six elements of quantative analysis?

1. Assign assets a value (AV) 2. Calculate Exposure Factor (EF) 3. Calculate single loss expectancy (SLE) 4. Assess the annualized rate of occurrence (ARO) 5. Derive the annualized Loss Expectancy (ALE) 6. Perform cost/benefit analysis of countermeasures.

What are some responses to risk?

1. Mitigation or reduction 2. assignment or transfer 3. Deterrence 4. Avoidance 5. Acceptance 6. Reject or ignore

What are some of the security issues that should be taken care off when an employee is terminated?

1. Remove or disable the employee's user account at th same time as or just before they are notified of being terminated. 2. Make sure the employee returns any organizational equipment or supplies from their vehicle or home 3. arrange for a member of the security deportment to accompany the released employee while they gather their personal belonging from the work area. 4. Inform all security personnel and anyone else who watches or monitors any entrance point to ensure that the ex employee does not attempt to reenter the building without an escort. 5. Blocking a person's personal identification number (PIN) or smartcard for building entrance 6. Revoking a parking pass 7. Positioning a new employee in their cubicle or workspace 8. Allowing layoff information to be leaked to the media.

Define an Acceptable Use Policy (AUP)?

A AUP states what is acceptable and what isn't an acceptable activity, practice, or use of company equipment and resources

Define Breach

A Breach, intrusion, or penetration is the occurrence of a security mechanism being bypassed or thwarted by a threat agent. A breach is a successful attack.

Define a Vendor Management System (VMS).

A VMS (VMS) is a hardware, software, and other needed products and services.

Define Safeguards

A safeguard, security control, protection mechanism, or countermeasure is anything that removes or reduces a vulnerability or protects against one or more specific threats. This concepts is also known as a risk response. A safeguard is any action or product that reduces risk through the elimination or lessening of a threat or a vulnerability. Safeguards are the means by which risk is mitigated or resolved. it is important to remember that a safeguard need not involve the purchase of a new product; reconfiguring existing elements and even removing elements from the infrastructure are also valid safeguards or risk response.

What is an SLA and when is it important.

A service level agreement is a contract stating what level of commitment will be present. These level of agreements are important when dealing with third party individuals. Usually SLAs also have a level of commitment in reference to monetary compensation if things don't go well.

threat Vector

A threat vector or attack vector is the path or means by which an attack or attacker can gain access to a target in order to cause harm. Threat vectors can include email, web surging, external drives, Wi-Fi networks, physical access, mobile devices, could, social media, supply chain, removable media, and commercial software.

What is the formula for ALE

ALE = Single Loss Expectancy (SLE) * annualized rate of occurrence (ARO) or ALE = asset value (AV) * exposure factor (EF) * annualized rate of occurrence (ARO) or more simply: ALE = SLE * ARO or ALE = AV * EF * ARO

Risk Acceptance

Accepting risk, or acceptance of risk, is the result after a cost/benefit analysis shows countermeasures cost would outweigh the possible cost of loss due to a risk. it also means that management has agree

Define a None-Disclosure Form (NDA).

An NDA is used to protect the confidential information within an organization from being disclosed by a current or former employee. Violations of an NDA are often met with strict penalties.

When an employee is being fired/transfer what should you consider before deleting his account and when is it ok to not delete the account?

An account should never be deleted first. Disable the account until enough time has passed by without any reason to audit the individual. Once enough time has passed by then deletion can be an optiom again the IAM.

Define Asset

An asset is anything used in a business process or task. If and organizations relies on a person, place, or thing, whether tangible or intangible, the is is an asset.

Define Risk Rejection

An unacceptable possible response to risk is to reject risk or ignore risk. Denying that a risk exists and hoping that it will never be realized are not valid or prudent due care/due diligence responses to risk. Rejecting or ignoring risk may be considered negligence in court.

Define Risk Rejection

An unacceptable possible response to risk is to reject risk or ignore risk. Denying that a risk exists and hoping that it will never be realized are not valid or prudent due care/due diligence.

Define Threats

Any potential occurrence that may cause an undesirable or unwanted outcome for an organization or for a specific asset is a threat. Threats are any action or inaction that could cause damage, destruction, alteration, loss, or disclosure of assets or that could block access to or prevent maintenance of assets. They can be intentinal or accidental. They ca originate from inside or outside. You can loosely think of a threat as a weapon that could cause harm to a target.

Define Asset Valuation

Asset Valuation is value assigned to an asset based on a number of factors, including importance to the organization, use in critical process, actual cost, and non-monetary expense/costs (such as time, attention, productivity, and research and development). When performing a math based risk evaluation, a dollar figure is assigned as the asset value.

Define Risk assignment

Assigning risk or transfering risk is the placement of the responsibility of loss due to a risk onto another entity or organization. Purchasing Cyber Security or traditional insurance and outsourcing are common forms of assigning or transferring risk.

Define Quantitive risk analysis?

Assigns real dollar figures to the loss of an asset and is based on mathematical calculations.

Auditing is necessary for what?

Checking for compliance. auditing for compliance is truly important to ensure that laws, regulations, baselines, guidelines, standards, best practices, contracts, and policies is an important part of maintaining security in any environment.

Define Compliance

Compliance is the act of conforming to or adhering to rules, policies, regulations, standards, or requirements. Compliance is an important concern of security governance.

What is the difference between residual risk and total risk known as?

Controls gap

Determining which risk are acceptable requires?

Detailed and complex asset and risk assesments, as well as a thorough understanding of the organization's budget, internal expertise and experience, business conditions, and many other internal and external factors.

What should a new hire sign stating they understand their job responsibilities, Security Policy, details of the job description, violations and consequences, and the minimum or probationary length of time the position is to be filled by the employee

Employment agreement.

Define Exposure

Exposure is being susceptible to asset loss because of a threat; there is the possibility that a vulnerability can or will be exploited by a threat agent or event. Exposure doesn't mean that a realized threat (an event that results in loss) is actually occurring, just that there is the potential for harm to occur. The quantitative risk analysis value of exposure factor (EF) is derived from this concept.

What is it called when you combine a qualitative approach with a quantitive approach.

Hybrid assessment or a hybrid analysis.

While upper management is responsible for Risk Management whom do they usually set the responsibility to?

IT and the Security Department. but it is the responsibility of upper management to initiate and support risk assessment.

What system will provide an account when necessary in a organization in some cases where a new member needs and account?

Identity and Access Management (IAM) system of an organization

Define Inherent Risk?

Inherent risk is the level of natural, native, or default risk that exist in an environment, system , or product prior to any risk management efforts being performed.

Define Risk Assessment aka Risk Analysis

Is the examination of an environment for risk, evaluating each threat event as to its likelihood of occuring and the severity of the damage in would cause if it did occur, and assessing the cost of various countermeasures for each risk.

Define the annualized rate of occurrence (ARO)

It's the expected frequency with which a specific threat or risk will occur (that is, become realized) within a single year.

What is a Delphi technique and its purpose

Its basically a feedback/ response system in order to elicit honest and uninfluenced feedback. Helps elicit unbiased response

What are job responsibilities

Job Responsibilities are the specific work tasks and employee is required to perform on a regular basis. Depending on their responsibilities, employees require access to various objects, resources, and services.

The largest ALE is the biggest what?

Largest problem!

Explain Mandatory Vacations?

Mandatory vacations are used as a peer review process. This process requires a worker to be away from the office and without remote access for one to two weeks per year. This is a time where employers can detect fraud, abuse, or negligence in a department.

when does Multiparty Risk exist?

Multiparty risk exists when several entities or organizations are involved in a project. The risk or threats are often due to the variations of objectives, expectations, timelines, budget, and security priorities of those involved.

Which publication gives you an expansive list of threat examples, concepts, and categories?

NIST 800-30r1

What procedures should be properly documented in order to ensure consistency of application as well as compliance with regulations or contractual requirements?

Onboarding paperwork.

define Outsourcing

Outsourcing is the term often used to describe the use of an external third party, such as a vendor, consultant, or contractor, rather than performing the task or operation in-house.

in regards to hiring what has been a standard practice for many hiring organizations.

Performing online background checks and reviewing employee is a standard practice in today's hiring process. If a company goes online and reviews inappropriate content then they wont be as attractive.

Define Privacy and why is hard to define.

Privacy can have several meanings due to its nature. since its use in different context sometimes it can't be quantified or qualified. the following are several definitions 1. Active prevention of unauthorized access to information that is personally identifiable (that is, data points that can be-linked directly to a person or organization), known as personally identifiable information (PII). 2. Freedom from unauthorized access to information deemed personal or confidential. 3. Freedom from being observed, monitored, or examined without consent or knowledge.

What is the difference between qualitative when referencing quantitive.

Qualitative is more scenario based then it is calculator based. Instead of assigning a lost potential on a device qualitative may stack them in relative scale based on their risks, cost, and effect.

What are the two primary risk assessment methodologies

Quantative and qualitive risk analysis

Define Risk mitigation?

Reducing risk, or risk mitigation, is the implementation of safeguards, security controls, and countermeasures to reduce and/or eliminate vulnerabilities or block threats.

What is Residual risk?

Residual risk is the risk left over once safeguards, security controls, and countermeasures are implemented, the risk that remains is the residual risk. Ant these threats are threats in which are upper management are ok with not responding to.

Define Risk Deterrence

Risk Deterrence is the process of implementing deterrents to would-be violators of security and policy. The goal is convince a threat agent not to attack. Some examples include implementing auditing, security cameras, and warning banners; using security guards; and making is known that the organizations willing to cooperate with authorities and prosecute those who participate in cyber crime.

Define Risk Tolerance?

Risk Tolerance is the amount or level of risk that an organization will accept per individual asset-threat pair. This is often related to a risk target, which is the preferred level of risk for a specific asset-threat pair. Often related to risk limit is the maximum level of risk above the risk target that will be tolerated before further risk management actions are taken.

Risk Avoidance

Risk avoidance is the process of selecting alternate options or activities that have less associated risk than the default, common, expedient, or cheap option.

Define Risk

Risk is the possibility or likelihood that a threat will exploit a vulneralbility to cause harm to an asset and the severity of damage that could result. The more likely it is that a threat event will occur, the greater the risk. The greater the amount of harm that could result if a threat is realized, the greater the risk. Every instance of exposure is a risk.

Explain what risk management is.

Risk management is a detailed process of identifying factors that could damage or disclose assets, evaluating those factors in light of asset value and countermeasures cost, and implementing cost-affective solutions for mitigating or reducing risk.

Define Risk responce

Risk response involves evaluating countermeasures, safeguards, and security controls using a cost/benefit analysis; adjusting findings base on other conditions, concerns, priorities, and resources; and providing a proposal of response option in a report to senior management

when risk is written as a conceptual formula what does it look like?

Risk= Threat * Vulnerability or Risk = probability of harm * severity of harm.

What focus should a Service Level agreement should have?

SLAs should include a focus on protection and improving security in addition to ensuring quality and timely services at reasonable price.

How is the Single loss Expectancy (SLE) calculated?

SLE = asset value (AV) * exposure factor (EF). or more simply SLE = AV * EF

What are some worker management and evaluation techniques?

Separation of duties, Job rotation, and cross training.

What are the principles of least privileges?

States that an individual should have the minimum amount of access necessary to complete their job responsibilities.

Define the Annualized Loss Expectancy

The annualized loss Expectancy (ALE) is the possible yearly loss of all instances of a specific realized threat against a specific asset. The ALE is calculated using the following formula.

What makes Compliance an administrative or managerial security control?

The fact that it focuses on policies and people abiding by those policies (as well as whether the IT and physical elements of the organization comply with policies).

Who does an exit interview and what is the purpose?

The purpose is to learn about an employees experience and how they may improve. usually done by HR

In order to get optimum results with a qualitative risk assessment what should the organization consider?

The should consider adding people laterally and vertically. i.e. Their should be upper management all the way down to end user involved just as in upper management their should be upper management from a networking team, Sys Admin team, and/or security. The more diversity the better your team.

Define Single loss expectancy?

The single loss Expectancy (SLE) is the potential loss associated with a single realized threat against a specific asset.

Define Vulnerability

The weakness in an asset or the absense or the weakness of a safeguard or countermeasure is a vulnerability. in other words, a vulnerability is a flaw, loophole, oversight, error, limitation, frailty, or susceptibility that enables a threat to cause harm.

In order to ensure due care and due diligence what should be done by upper management?

They should go over all risk assessments, results, decisions, and outcomes must be understood and approved by upper management.

Define and explain Onboarding

This is the process of adding new employees to an organization, having them review and sign emplowyment agreements and policies, be introduced to managers and coworkers, and be trained in employee operations and logistics. on boarding can also include organizational socialization and orientation.

define Collusion

This is when people work together to perpetrate a crime, it's called collusion.

Define Threat agent/actors

Threat agents or threat actors intentionally exploit vulnerabilities. Threat agents are usually people, but they could also be programs, hardware, or systems. Threat agents wield threats in order to cause harm to target.

Define Threat Events

Threat events are accidental occurrences and intentional exploitations of vulnerabilities. they can also be natural or person made . Threat events include fire, earthquake, flood, system failure , human error.

What is a conceptual formula for total risk is as follow:

Threats * Vulnerabilities * asset value = total risk

Can you explain/draw out the Cyclical relationship of risk elements?

Threats can lead to exploiting vulnerability, which can results in an exposure, which is a risk; that can be mitigated by safeguards, in order to protect assets, which are endangered by threats.

How are the terms Threats, Vulnerability, and exposure tied to each other.

Threats exploit vulnerabilities, which results, in exposure. Exposure is risk, and risk is mitigated by safeguards. Safeguards protect assets that are endangered by threats.

it is important to consider what when evaluating risk.

To consider all possible risk including accidents, natural disasters, financial threats, civil unrest, pandemics, physical threats, technical exploitation, and social engineering.

What is the point of risk analysis in regards to assets? And what is a rule that should be used regarding risk analysis.

To ensure the assets is worth the safeguard. It doesn't make sense to spend 100,000 on a device that is only 5,000 dollars. As a rule, the annual cost of safeguards should not exceed the potential annual cost of asset value loss.

Define total risk .

Total risk is the amount of risk and organization would face if no safeguards were implemented.

Who's primarily responsible for risk management?

Upper Management

Define User Behavior Analytics (UBA) and user entity behavior analytics (UEBA)

User Behavior Analytics (UBA) and user and entity behavior analytics (UEBA) are the concepts of analyzing the behavior of users, subjects, visitors, customers, and so forth for some specific goal or purpose. The E in UEBA extends the analysis to include entity activities.

Why is it a good idea to use qualitative and quantitive risk analysis in an organization.

Using either one helps with risk analysis but using both can help bounce each other's list. This would help the organization adjust or modify any particular items to better fit their goal. i.e. qualitative results can help adjust quantitive result.

Why should Privacy issues be addressed/codified into a privacy policy.

When allowing restriction to personal data, use of email, retaining email, recording phone conversations, gathering information about surfing or spending habits, and so on.

What is the difference between Quantitive in reference to Qualitative risk assessment?

With Quantitive you will receive concrete probability indications or a numeric indication of relative risk potential. That means the end result is a report that had dollar figure for levels of risk, potential loss, cost of countermeasures, and value of safeguards.

How do you start the process of Quantative risk analysis?

With an asset valuation and threat identification (which can be performed in any order).

To understand and apply security governance what must be addressed?

You must address the weakest link in the environment/security chain. namely people

Define Attack

an Attack is the intentional attempted exploitation of a vulnerability by a threat agent to cause damage, loss, or disclosure of assets. An attack can also be viewed as any violation or failure to adhere to an organization's security policy. A malicious event does not need to succeed in violating security to be considered an attack.

Define Qualitative risk Analysis.

assigns subjective and intangible values to the loss of an asset and takes into account perspectives, feelings, intuition, preferences, ideas, and gut reactions.

How does the diversity of the team help an organization?

based on the demographics of the organization will help exhaustively identify and address all possible threats and risk.

How can you reduce the chances that workers will collaborate with each other to create illegal moves?

ensure to implements principles of separations of duties, restricted job responsibilities, mandatory control vacations, job rotations, and cross training which reduces the likelihood of collusion.

Once an ALE is calculated how should it all be sorted

from largest to smallest

Define Risk appetite

i'ts the total amount of risk the tan organization is willing to shoulder in aggregate across all assets.

What is inherent risk also known as?

initial risk or starting risk

Inherent risk is also known as?

initial risk or starting risk.

Define Inherent risk

is the level of natural, native, or default risk that exists in an environment, system, or product prior to any risk management efforts being performed.

What is risk management composed of ?

it is composed of to primary elements: Risk assesment and Risk responce

What is compliance enforcement?

it's the applications of sanctions or consequences for failing to follow policy, training, best practices, and/or regulations. Such enforcement efforts could be performed by the chief information security officer (CISO) or chief security officer (CSO), worker manager and supervisor, auditors and third- party regulators.

What is an essential part of Risk Management

its identifying and examining the threats.

Define Risk capacity

its the amount of risk an organization can shoulder.

Define Risk Awareness

its the effort to increase the knowledge of risk within an organization.

Define Offboarding?

its the removal of an employee's identity from the IAM system once that person has left the organization.

The primary goal of risk management is to.....

reduce risk to an acceptable level. What that level actually is depends on the organization, the value of its assets, the size of its budget, and many other factors.

Define Exposure Factor? and whats is another name for this?

represents the percentage of loss that an organization would experience if a specific asset were violated by a realized risk. Loss potential?

When and individual is gone should an NDA be signed again?

yes, so that they understand the agreements necessary.

How do you start an asset based or asset initiated risk analysis?

you do a full inventory of all the organizations assets. Once complete, a valuation needs to be assigned to each asset