2 - Personnel Security and Risk Management

Question 1

What is the weakest link of any security solution?

Answer 1

Humans

Question 2

What is the difference between job description and a role description?

Answer 2

Roles typically align a rank or level of privilege. Job descriptions map to specifically assigned responsibilities and tasks.

Question 3

What is Separation of Duties?

Answer 3

Where critical tasks are divided among several individual administrators. Prevents one person from having the ability to undermine security mechanisms

Question 4

What are Job Responsibilities?

Answer 4

The specific work tasks an employee is required to perform on a regular basis.

Question 5

What is Job Rotation?

Answer 5

Rotating employees amomg multiple positions. Provides knowledge redundancy and reduces risk of fraud, data misuse of information, etc.

Question 6

What is Privilege creep?

Answer 6

The continued collection of privileges, permissions, etc. without the removal unncessary rights along the way.

Question 7

What is a Background Check?

Answer 7

Obtaining a candidate’s work, educational history, checking references, interviewing people in their lives, checking for a record, etc.

Question 8

What is an NDA?

Answer 8

A document used to protect the confidential information within an organization from being disclosed by a former employee. Violations are met with strict penalties.

Question 9

Why are Mandatory Vacations necessary/important?

Answer 9

It allows an audit of work tasks and privileges of eomployees.

Question 10

What is Onboarding?

Answer 10

The process of adding new employees to the identity and access management system. Also used when when an employee’s role changes.

Question 11

What is Offboarding?

Answer 11

The removal of an employee’s identity from an IAM system once they leave the organization.

Question 12

What is the proper procedure for Terminations?

Answer 12

They should take place with at least one witness (manager or security), terminated person needs to be escorted off the premises immediately, and all access related materials need to be collected and revoked.

Question 13

What is an Exit Interview?

Answer 13

To review the liabilities and restrictions placed on the former based on employee agreement, NDA, and other security related docs.

Question 14

What is a Service Level Agreement?

Answer 14

The levels of performance, expectation, compensation, and consequences for entities, persons, or organizations that are external to the primary organization.

Question 15

What are the commonly adressed issues in SLA’s?

Answer 15

• System Uptime
• Maximum Consecutive Downtime
• Peak Load
• Average Load
• Responsibility for Diagnostics
• Failover Time
• Financial and/or contractual remedies that kick in if agreement is not maintained.

Question 16

What is Compliance?

Answer 16

The act of conforming to or adhering to rules, policies, regulations, standards, or requirements

Question 17

What is Privacy?

Answer 17

• Active prevention of unauthorized access to information that is personally identifiable.
• Freedom from unauthorized access to information deemed personal or confidential.
• Freedom from being observed, monitored, or examined without consent or knowledge.

Question 18

What is PII?

Answer 18

Personally Identifiable Information (PII) is any data that can be easily and/or obviously traced back to the person of origin or concern:

• Phone number
• Email address
• Mailing Address
• Social Security Number
• Name
• Can vary by country

Question 19

What is Security Governance?

Answer 19

The collection of practices related to supporting, defining, and directing the security efforts of an organization.

Question 20

What is Third-Party Governance?

Answer 20

The system of oversight that may be mandated by law, regulation, industry standards, contractual obligation, or licensing requirements. Generally involves an outside invstigator or auditor.

Question 21

What is Documentation Review?

Answer 21

The process of reading the exchanged materials and verifying them against standards and expectations.

Question 22

What is Risk Management?

Answer 22

A detailed process of identifying factors that could damage or disclose data and implementing cost-effective solutions for mitigating or reducing risk.

Question 23

What is Risk Analysis?

Answer 23

Examining an environment for risks, evaluating each threat event as to its likelihood of occuring and cost of damage, assessing cost of countermeasure, and creating a cost/benefit report for safeguards to present to upper management.

Question 24

What are some common terms for Risk?

Answer 24

• Asset: Anything within an environment that should be protected.
• Asset Valuation: A dollar value assigned to an asset based on actual cost and nonmonetary expenses.
• Threats: Any potential occurrence that may cause an undesirable or unwanted outcome for an organization or for a specific assest.
• Vulnerability: The weakness in an asset or the absence or the weakness of a safeguard or countermeasure.
• Exposure: Being susceptible to asset loss because of a threat; the possibility that a vulnerability will be exploited by a threat agent.
• Risk: The possibility or likelihood that a threat will exploit a vulnerability to cause harm to an asset.
• Safeguards: (security control, Countermeasure) Anything that removes or reduces a vulnerability or protects against one or more specific threats.
• Attack: The exploitation of a vulnerability by a threat agent.
• Breach: The occurrence of a security mechanism being bypassed or thwarted by a threat agent.

Question 25

What is the formula for Risk?

Answer 25

*risk = threat \* vulnerability*

Question 26

What are the different models of **Risk Analysis**?

Answer 26

* **_Quantative Risk Analysis_**: The results have concrete probability percentages and/or dollar figures. * **_Qualitative Risk Analysis_**: More scenario based than calculator based where you rank threats on a scale.

Question 27

What is the formula for ALE?

Answer 27

* **Calculate Single Loss Expectancy** (SLE): * SLE = Asset Value (AV) \* Exposure Factor (EF) * **Annualized Loss Expectancy** (ALE): * ALE = SLE \* ARO * ARO (Annualized Rate Occurrence) * #/year

Question 28

What is the **Delphi Technique**?

Answer 28

An anonymous feedback-and-response process used to enable a group to reach an anonymous consensus.

Question 29

What are some actions you can take risks found in the environment?

Answer 29

* **_Risk Mitigation_**: (Reducing risk) The implementation of safeguards and countermeasures to eliminate vulnerabilities or block threats. * **_Risk Assignment_**: (Assigning risk, transferring risk) The placement of the cost of loss a risk represents onto another entity or organization. * **_Risk Acceptance_**: The result after cost/benefit analysis shows countermeasure cost would outweigh the possible cost of loss due to a risk. * **_Risk Deterrence_**: The process of implementing deterrents to would be violators of security and policy. * **_Risk Avoidance_**: The process of selecting alternate options or activities that have less associated risk than the default, common, or cheap option. * **_Risk Rejection_**: Denying that a risk exists and hoping that it will never be realized are not vlaid or prudent due-care responses to risk. * **_Residual Risk_**: Comprises threats to specific assets against which upper management chooses not to implement a safeguard. * **_Total Risk_**: The amount of risk an organization would face if no safeguards were implemented. * threats \* vulnerabilities \*asset value = total risk

Question 30

What are the 3 categories of Security Mechanisms?

Answer 30

* **_Technical/Logical_**: The hardware or software mechanisms used to manage access and to provide protection for resources and systems. * **_Administrative_**: The policies and procedures defined by an organization's security policy and other regulations or requirements. * **_Physical_**: Items you can physically touch.

Question 31

What are the different types of security controls?

Answer 31

* **_Deterrent_**: Deployed to discourage violation of security policies (locks, fences, security badges) * **_Preventive_**: Deployed to thwart or stop unwanted or unauthorized activity from occurring (fences, locks, biometrics) * **_Detective_**: Deployed to discover or detect unwanted or unauthorized activity (security guards, motion detectors) * **_Compensating_**: Deployed to provide various options to other existing controls to aid in enforcement and support of security policies. * **_Corrective_**: Modifies the environment to return systems to normal after an unwanted or unauthorized activity has occurred (anti-virus, backup restore). * **_Recovery_**: An extension of corrective controls but have more advanced or complex abilities (hot sites, warm sites, cold sites) * **_Directive_**: Deployed to direct, confine, or control the actions of subjects to force or encourage compliance with security policies (security policy requirements, posted notifications, escape route exit signs).

Question 32

What is a **Security Control Assessment**?

Answer 32

The formal evaluation of a security infrastructure's individual mechanisms against a baseline or reliability expectation.

Question 33

What is **Risk Reporting**?

Answer 33

A key task to perform at the conclusion of a risk analysis. The production of a risk report and a presentation of that report to the interested/relevant parties.

Question 34

What is a **Risk Framework**?

Answer 34

A guideline or recipe for how risk is to be assessed, resolved, and monitored.

Question 35

What are the steps of the **Risk Management Framework**?

Answer 35

* **_Categorize_**: The information system and the information processed, stored, and transmitted by that system based on an impact analysis. * **_Select_** an initial set of baseline controls and describe how the controls are employed within the information system and its environment of operation. * **_Implement_** the security controls and describe how the controls are employed within the information system and its environment of operation. * **_Assess_** the security controls using appropriate assessment procedures. * Authorize information system operation based on a determination of the risk. * Monitor the security controls in the information system on an ongoing basis [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf)

Question 36

What is Awareness, Training, and Education?

Answer 36

* **_Awareness_**: Establishes a common baseline or foundation of security understanding across the entire organization and focuses on key or basic topics. * **_Training_**: Teaching employees to perform their work tasks and comply with the security policy. * **_Education_**: A more detailed endeavor in which students/users learn much more than they actually need to know to perform their work tasks.