CISSP Chapter 2, Domain 1 - Personel Security and Risk Management Concepts
Safeguard cost/benefit analysis
(pre-countermeasure ALE - post-countermeasure ALE) - ACS (annual cost of safeguard)
RMF (NIST) Steps
1. Categorize (information systems) 2. Select (initial set of baseline controls) 3. Implement (security controls) 4. Assess (controls using assessment procedures) 5. Authorize (systems based on determined risk) 6. Monitor (controls on ongoing basis)
Risk management
A detailed process of identifying factors that could damage or disclose data, evaluating those factors in light of data value and countermeasure cost, and implementing costeffective solutions for mitigating or reducing risk.
Asset valuation
A dollar value assigned to an asset based on actual cost and nonmonetary expenses. These can include costs to develop, maintain, administer, advertise, support, repair, and replace an asset.
Risk Management Framework
A guideline or recipe for how risk is to be assessed, resolved, and monitored. NIST 800-37
Privacy
Active prevention of unauthorized access to information that is personally identifiable (that is, data points that can be linked directly to a person or organization)
Deterrent Control
Aims to discourage violation of security policies.
Who is responsible for risk assessment?
All risk assessments, results, decisions, and outcomes must be understood and approved by upper management as an element in providing prudent due care.
Recovery controls
An extension of corrective controls but have more advanced or complex abilities. Examples include backups and restores, fault-tolerant drive systems, system imaging, server clustering, antivirus software, and database or virtual machine shadowing.
Threat
Any potential occurrence that may cause an undesirable or unwanted outcome for an organization or for a specific asset, any action or inaction that could cause damage, destruction, alteration, loss, or disclosure of assets or that could block access to or prevent maintenance of assets.
Safeguard
Anything that removes or reduces a vulnerability or protects against one or more specific threats, the only means by which risk is mitigated or removed
Asset
Anything within an environment that should be protected. It is anything used in a business process or task. It can be a computer file, a network service, a system resource, a process, a program, a product, an IT infrastructure, a database, a hardware device, furniture, product recipes/formulas, intellectual property, personnel, software, facilities, and so on.
ATO
Authorisation To Operate
Exposure
Being susceptible to asset loss because of a threat; there is the possibility that a vulnerability can or will be exploited by a threat agent or event.
What reduces the risk of collusion?
Employing the principles of separation of duties, restrictedjob responsibilities, and job rotation reduces the likelihood that a coworker will be willing to collaborate on an illegal or abusive schemebecause of the higher risk of detection.
Screening
Essential element in proving that a candidate is adequate, qualified, and trustworthy for a secured position.
Exposure Factor (EF)
Indicates the expected overall asset value loss because of a single realized risk, in percentage.
Mandatory vacations
Is used to audit and verify the work tasks and privileges of employees. This often results in easy detection of abuse, fraud, or negligence.
Directive Controls
It is deployed to direct, confine, or control the actions of subjects to force or encourage compliance with security policies. Examples include security policy requirements or criteria, posted notifications, escape route exit signs, monitoring, supervision, and procedures.
Detective Control
It is deployed to discover or detect unwanted or unauthorized activity. They operate after the fact and can discover the activity only after it has occurred.
Compensating Control
It is deployed to provide various options to other existing controls to aid in enforcement and support of security policies.
Preventive Control
It is deployed to thwart or stop unwanted or unauthorized activity from occurring.
Documentation Review
It is the logical and practical investigation of business processes and organizational policies. This process/policy review ensures that the stated and implemented business tasks, systems, and methodologies are practical, efficient, and cost-effective, but most of all (at least in relation to security governance) that they support security through the reduction of vulnerabilities and the avoidance, reduction, or mitigation of risk.
Corrective Control
It modifies the environment to return systems to normal after an unwanted or unauthorized activity has occurred. It attempts to correct any problems that occurred as a result of a security incident.
Job Rotation security purpose
It reduces the risk of fraud, datamodification, theft, sabotage, and misuse of information, job rotation also provides a form of peerauditing and protects against collusion.
Termination policy
It should include items such as always having a witness, disabling the employee's network access, and performing an exit interview.
Quantitative Risk Analysis
Its end result is a report that has dollar figures for levels of risk, potential loss, cost of countermeasures, and value of safeguards.
Risk of job rotation
One concern with jobrotation, cross-training, and long-tenure employees is their continuedcollection of privileges and accesses, many of which they no longer need.
Risk apetite
The ability of an organization to absorb the losses associated with realized risks.
Single Loss Expectancy (SLE)
The cost associated with a single realized risk against a specific asset. Calculated as AV * EF
Annualized Rate of Occurrence (ARO)
The expected frequency with which a specific threat or risk will occur (that is, become realized) within a single year.
Attack
The exploitation of a vulnerability by a threat agent. In other words, it is any intentional attempt to exploit a vulnerability of an organization's security infrastructure to cause damage, loss, or disclosure of assets.
Breach
The occurrence of a security mechanism being bypassed or thwarted by a threat agent.
Collusion
The occurrence of negative activity undertaken by two or more people,often for the purposes of fraud, theft, or espionage
Risk
The possibility or likelihood that a threat will exploit a vulnerability to cause harm to an asset. It is an assessment of probability, possibility, or chance. risk = threat * vulnerability
Onboarding
The process of adding new employees to the identity and access management (IAM) system of an organization. The onboarding process is also used when an employee's role or position changes or when that person is awarded additional levels of privilege or access.
Risk Deterrence
The process of implementing deterrents to would-be violators of security and policy
Documentation review
The process of reading the exchanged materials and verifying them against standards and expectations. It is typically performed before any on-site inspection takes place.
Risk Avoidance
The process of selecting alternate options or activities that have less associated risk than the default, common, expedient, or cheap option.
Risk Acceptance
The result after a cost/benefit analysis shows that countermeasure costs would outweigh the possible cost of loss due to a risk.
Separation of Duties
The security concept inwhich critical, significant, and sensitive work tasks are divided amongseveral individual administrators or high-level operators.
Third-party governance
The system of oversight that may be mandated by law, regulation, industry standards, contractual obligation, or licensing requirements. It focuses on verifying compliance with stated security objectives, requirements, regulations, and contractual obligations.
DELPHI Technique
The technique is simply an anonymous feedback-and-response process used to arrive at a consensus. Such a consensus gives the responsible parties the opportunity to properly evaluate risks and implement solutions.
Vulnerability
The weakness in an asset or the absence or the weakness of a safeguard or countermeasure
Elements of risk
Threats -> Vulnerabilities -> Exposure -> Risk -> Safeguards -> Assets -> Threats...
Service-level agreement (SLA)
Vendor, consultant, and contractor controls are used to define the levels of performance, expectation, compensation, and consequences for entities, persons, or organizations that are external to the primary organization.
Controls Gap
amount of risk that is reduced by implementing safeguards.
Vulnerabbility
the absence or weakness of a safeguard orcountermeasure
Compliance
the act of conforming to or adhering to rules, policies, regulations, standards, or requirements. It is an important concern to security governance.
Security Governance
the collection of practices related to supporting, defining, and directing the security efforts of an organization
Risk Mitigation
the implementation of safeguards and countermeasures to eliminate vulnerabilities or block threats.
Risk Assignment / Risk Transfer
the placement of the cost of loss a risk represents onto another entity or organization.
Annualized Loss Expectancy (ALE)
the possible yearly cost of all instances of a specific realized threat against a specific asset. Calculated as SLE * ARO
Residual Risk
the risk that management has chosen to accept rather than mitigate.
Total (inherent) risk formula
threats * vulnerabilities * asset value (* is a combination rather than multiplication)
