Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 2: Personnel Security and Risk Management Concepts

Published byKevin Harmon Modified over 9 years ago

Similar presentations

Presentation on theme: "Chapter 2: Personnel Security and Risk Management Concepts"— Presentation transcript:

1 Chapter 2: Personnel Security and Risk Management Concepts

2 Contribute to Personnel Security Policies
Personnel management Employment candidate screening Employment agreements and policies Employment termination processes Vendor, consultant, and contractor controls Compliance Privacy

3 Personnel Management Job descriptions Separation of duties
Job responsibilities Job rotation Cross-training Collusion

4 Employment Candidate Screening
Based on job description Background checks Reference checks Education verification Security clearance validation Online background checks

5 Employment Agreements and Policies
Nondisclosure agreement Noncompete agreement Audit job descriptions, work tasks, privileges, and responsibilities Mandatory vacations

6 Employment Termination Processes
Maintain control and minimize risks Exit interview Terminate access Return company property

7 Vendor, Consultant, and Contractor Controls
Define the levels of performance, expectation, compensation, and consequences Service-level agreement (SLA) Risk reduction and risk avoidance

8 Compliance Conforming to or adhering to rules, policies, regulations, standards, or requirements Maintaining high levels of quality, consistency, efficiency, and cost savings

9 Privacy Active prevention of unauthorized access to information that is personally identifiable Freedom from unauthorized access to information deemed personal or confidential Freedom from being observed, monitored, or examined without consent or knowledge Legislative and regulatory compliance issues

10 Security Governance Maintain business processes while striving toward growth and resiliency Third-party governance Auditing Compliance Documentation review

11 Manage Personnel Security

12 Pre-Hiring Process Management of personnel is critical
People are the weakest link! Background checks Background, credit & reference checks Education verification Social Media Job Description

13 Hiring On boarding process On the job Non disclosure agreement (NDA)
Non compete agreement (NCA) HR & Security Policy Agreement Account Provisioning On the job Training Management structure – job rotation Service Level Agreement (SLA) vendors or contractors

14 Termination Procedures
Final payroll & HR paperwork Exit interview Accounts Suspended or terminated Turn over company property Equipment (laptop, cell phone, token) Access badge, keys Escorted out of premises Vacate premises immediately under supervision

15 Security Awareness Mandatory or Voluntary? On site or on line?
Standard or Customized Target Audiences: Management Staff Technical employees Evaluating the Program CISSP-Domain #1

16 Security Awareness-2 General, collective awareness of an organization’s personnel of the importance of security & security controls Reduce unauthorized attempts by personnel (insider threat); WEAKEST LINK! Increase effectiveness of protection controls Avoid fraud, waste, & abuse of computing resources Establish employee accountability for their actions & impact to overall security posture Improve employee attitude & behavior towards security

17 Security Awareness - Program
Training Education Level Information Knowledge Insight Learning Objective Recognition & Retention Skill Impact Timeframe Short-term Intermediate Long-term CISSP-Domain #1

18 Understand and Apply Risk Management Concepts
Risk terminology Identify threats and vulnerabilities Risk assessment/analysis Risk assignment/acceptance Countermeasure selection and assessment Implementation Types of controls Monitoring and measurement Asset valuation Continuous improvement Risk frameworks

19 Risk Terminology Asset Asset valuation Threats Vulnerability Exposure
Safeguard, countermeasure Attack, breach

20 Identify Threats and Vulnerabilities
Inventory all threats for each asset Threat agents Threat events Include non-IT sources

21 Risk Assessment/Analysis
Quantitative analysis Money based, measured by Formula Only has a monetary value attached it Qualitative analysis Based on scenarios, situations, and Results in Levels: High, Medium, Low

22 Quantitative Analysis
AV - Asset Value EF - Exposure Factor SLE - Single Loss Expectancy ARO - Annual Rate of Occurrence ALE - Annualized Loss Expectancy Cost-benefit equations ALE = SLE x ARO SLE = AV x EF

23 Using SLE, ARO, ALE Example Asset Threat SLE ARO ALE Building Flood
$750k 0.1 $75k Server Failed $14k 0.1 $1.4k Data Employee $5k 1.0 $5k Credit Cards# Theft $250k 3.0 $750k 52

24 Qualitative Analysis Brainstorming Delphi technique Storyboarding
Focus groups Surveys Questionnaires Checklists One-on-one meetings Interviews

25 Impact Analysis Levels
I (high) II IV (low) Loss of life Loss of political or military advantage Loss of operations / mission failure Legal repercussions No significant consequences Consequences Magnitude of Impact Embarrassment Cost of rework, repair, or replacement III

26 Risk Assignment/Acceptance
Reduce or mitigate Assign or transfer Accept Reject or ignore Total risk vs. residual risk

27  Countermeasures  Total Risk  Residual Risk Risk Analysis
(ALE before safeguard) - (ALE after safeguard) - (annual cost of safeguard) = value of safeguard to the company  Total Risk threats x vulnerability x asset value = total risk  Residual Risk total risk x controls gap = residual risk 55

28 Countermeasure Selection and Assessment
Costs and benefits Reduce attack benefit Solve a real problem Nondependent upon secrecy Testable Uniform protection No dependencies Tamperproof

29 Implementation Administrative Logical/technical Physical
Defense in depth

30 Types of Controls Deterrent Preventive Detective Compensating
Corrective Recovery Directive

31 Monitoring and Measurement
Quantified, evaluated, or compared Native/internal monitoring or external monitoring Measuring the effectiveness

32 Asset Valuation Used to justify protections Tangible value
Intangible value Used in cost-benefit analysis Helps select safeguards Defines level of risk

33 Continuous Improvement
Security is always changing. It needs to be integrated into deployed security solutions. Risk analysis is a “point-in-time” metric. As threats change, so must security.

34 Risk Frameworks Guideline or recipe for how risk is to be assessed, resolved, and monitored NIST Special Publication Risk Management Framework (RMF) Operationally Critical Threat, Asset, And Vulnerability Evaluation (OCTAVE) Factor Analysis Of Information Risk (FAIR) Threat Agent Risk Assessment (TARA)

35 Establish and Manage Information Security Education, Training, and Awareness
Security requires changes in user behavior. Seek policy compliance. Awareness. Training. Education.

36 Manage the Security Function
Security governance Risk assessment Craft security policy Cost-effective Measurable security Resource management

Download ppt "Chapter 2: Personnel Security and Risk Management Concepts"

Similar presentations

Security+ All-In-One Edition Chapter 17 – Risk Management

Security+ All-In-One Edition Chapter 17 – Risk Management
[Organisation’s Title] Environmental Management System

[Organisation’s Title] Environmental Management System
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Security Controls – What Works

Security Controls – What Works
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Laboratory Personnel Dr/Ehsan Moahmen Rizk.

Laboratory Personnel Dr/Ehsan Moahmen Rizk.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Information Systems Security Information Security & Risk Management.

Information Systems Security Information Security & Risk Management.
Stephen S. Yau 1CSE465-591 Fall 2006 Personnel Security.

Stephen S. Yau 1CSE Fall 2006 Personnel Security.
23 January 2003© All rights Reserved, 2002 Understanding Facilitated Risk Analysis Process (FRAP) and Security Policies for Organizations Infocomm Security.

23 January 2003© All rights Reserved, 2002 Understanding Facilitated Risk Analysis Process (FRAP) and Security Policies for Organizations Infocomm Security.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Quality evaluation and improvement for Internal Audit

Quality evaluation and improvement for Internal Audit
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Lecture 8: Risk Management Controlling Risk

Lecture 8: Risk Management Controlling Risk
Achieving our mission Presented to Line Staff. INTERNAL CONTROLS What are they?

Achieving our mission Presented to Line Staff. INTERNAL CONTROLS What are they?
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Control environment and control activities. Day II Session III and IV.

Control environment and control activities. Day II Session III and IV.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
A Security Training Program through Transformational Leadership and Practical Approaches Tanetta N. Isler Federal Information Systems Security Educators’

A Security Training Program through Transformational Leadership and Practical Approaches Tanetta N. Isler Federal Information Systems Security Educators’

Similar presentations

Ads by Google