Gibson Darril

CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide


Скачать книгу

Layering

      D. Transfer

      Chapter 2

      Personnel Security and Risk Management Concepts

      THE CISSP EXAM TOPICS COVERED IN THIS CHAPTER INCLUDE:

      ✓ Domain 1: Security and Risk Management (Security, Risk, Compliance, Law, Regulations, Business Continuity)

      ■ H. Contribute to personnel security policies

      ■ H.1 Employment candidate screening (e.g., reference checks, education verification)

      ■ H.2 Employment agreements and policies

      ■ H.3 Employment termination processes

      ■ H.4 Vendor, consultant, and contractor controls

      ■ H.5 Compliance

      ■ H.6 Privacy

      ■ l. Understand and apply risk management concepts

      ■ I.1 Identify threats and vulnerabilities

      ■ I.2 Risk assessment/analysis (qualitative, quantitative, hybrid)

      ■ I.3 Risk assignment/acceptance (e.g., system authorization)

      ■ I.4 Countermeasure selection

      ■ I.5 Implementation

      ■ I.6 Types of controls (preventive, detective, corrective, etc.)

      ■ I.7 Control assessment

      ■ I.8 Monitoring and measurement

      ■ I.9 Asset valuation

      ■ I.10 Reporting

      ■ I.11 Continuous improvement

      ■ I.12 Risk frameworks

      ■ L. Establish and manage information security education, training, and awareness

      ■ L.1 Appropriate levels of awareness, training, and education required within organization

      ■ L.2 Periodic reviews for content relevancy

      ✓ Domain 6: Security Assessment and Testing (Designing, Performing, and Analyzing Security Testing)

      ■ C.5 Training and awareness

      The Security and Risk Management domain of the Common Body of Knowledge (CBK) for the CISSP certification exam deals with many of the foundational elements of security solutions. These include elements essential to the design, implementation, and administration of security mechanisms.

      Additional elements of this domain are discussed in various chapters: Chapter 1, “Security Governance Through Principles and Policies”; Chapter 3, “Business Continuity Planning”; and Chapter 4, “Laws, Regulations, and Compliance”. Please be sure to review all of these chapters to have a complete perspective on the topics of this domain.

      Because of the complexity and importance of hardware and software controls, security management for employees is often overlooked in overall security planning. This chapter explores the human side of security, from establishing secure hiring practices and job descriptions to developing an employee infrastructure. Additionally, we look at how employee training, management, and termination practices are considered an integral part of creating a secure environment. Finally, we examine how to assess and manage security risks.

      Contribute to Personnel Security Policies

      Humans are the weakest element in any security solution. No matter what physical or logical controls are deployed, humans can discover ways to avoid them, circumvent or subvert them, or disable them. Thus, it is important to take into account the humanity of your users when designing and deploying security solutions for your environment. To understand and apply security governance, you must address the weakest link in your security chain – namely, people.

      Issues, problems, and compromises related to humans occur at all stages of a security solution development. This is because humans are involved throughout the development, deployment, and ongoing administration of any solution. Therefore, you must evaluate the effect users, designers, programmers, developers, managers, and implementers have on the process.

      Hiring new staff typically involves several distinct steps: creating a job description, setting a classification for the job, screening employment candidates, and hiring and training the one best suited for the job. Without a job description, there is no consensus on what type of individual should be hired. Thus, crafting job descriptions is the first step in defining security needs related to personnel and being able to seek out new hires. Personnel should be added to an organization because there is a need for their specific skills and experience. Any job description for any position within an organization should address relevant security issues. You must consider items such as whether the position requires the handling of sensitive material or access to classified information. In effect, the job description defines the roles to which an employee needs to be assigned to perform their work tasks. The job description should define the type and extent of access the position requires on the secured network. Once these issues have been resolved, assigning a security classification to the job description is fairly standard.

      The Importance of Job Descriptions

      Job descriptions are important to the design and support of a security solution. However, many organizations either have overlooked this or have allowed job descriptions to become stale and out-of-sync with reality. Try to track down your job description. Do you even have one? If so, when was it last updated? Does it accurately reflect your job? Does it describe the type of security access you need to perform the prescribed job responsibilities? Some organizations must craft job descriptions to be in compliance with SOC-2, while others following ISO 27001 require annual reviews of job descriptions.

      Important elements in constructing job descriptions that are in line with organizational processes include separation of duties, job responsibilities, and job rotation.

Separation of Duties Separation of duties is the security concept in which critical, significant, and sensitive work tasks are divided among several individual administrators or high-level operators (Figure 2.1). This prevents any one person from having the ability to undermine or subvert vital security mechanisms. Think of separation of duties as the application of the principle of least privilege to administrators. Separation of duties is also a protection against collusion, which is the occurrence of negative activity undertaken by two or more people, often for the purposes of fraud, theft, or espionage.

Figure 2.1 An example of separation of duties related to five admin tasks and seven administrators

      Job Responsibilities Job responsibilities are the specific work tasks an employee is required to perform on a regular basis. Depending on their responsibilities, employees require access to various objects, resources, and services. On a secured network, users must be granted access privileges for those elements related to their work tasks. To maintain the greatest security, access should be assigned according to the principle of least privilege. The principle of least privilege states that in a secured environment, users should be granted the minimum amount of access necessary for them to complete their required work tasks or job responsibilities. True application of this principle requires low-level granular access control over all resources and functions.

Job Rotation Job rotation, or rotating employees among multiple job positions, is simply a means by which an organization improves its overall security (Figure 2.2). Job rotation serves two functions. First, it provides a type of knowledge redundancy. When multiple employees are all capable of performing the work tasks required by several job positions, the organization is less likely to experience serious downtime or loss in productivity if an illness or other incident keeps one or more employees out of work for an extended period of time.