Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.
-
Upload
rhoda-cook -
Category
Documents
-
view
231 -
download
0
Transcript of Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.
![Page 1: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/1.jpg)
Information Security and Risk Management
CISSP Guide to Security Essentials
Chapter 1
![Page 2: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/2.jpg)
CISSP Guide to Security Essentials 2
Objectives
• How security supports organizational mission, goals and objectives
• Risk management
• Security management
• Personnel security
• Professional ethics
![Page 3: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/3.jpg)
CISSP Guide to Security Essentials 3
Mission
• Statement of its ongoing purpose and reason for existence.
• Usually published, so that employees, customers, suppliers, and partners are aware of the organization’s stated purpose.
![Page 4: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/4.jpg)
CISSP Guide to Security Essentials 4
Mission (cont.)
• Should influence how we will approach the need to protect the organization’s assets.
![Page 5: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/5.jpg)
CISSP Guide to Security Essentials 5
Example Mission Statements
• “Promote professionalism among information system security practitioners through the provisioning of professional certification and training.”
– (ISC)²
![Page 6: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/6.jpg)
CISSP Guide to Security Essentials 6
Example Mission Statements
• “Help civilize the electronic frontier; to make it truly useful and beneficial not just to a technical elite, but to everyone…”
![Page 7: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/7.jpg)
CISSP Guide to Security Essentials 7
Example Mission Statements
• “…and to do this in a way which is in keeping with our society's highest traditions of the free and open flow of information and communication.”
– Electronic Frontier Foundation
![Page 8: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/8.jpg)
CISSP Guide to Security Essentials 8
Example Mission Statements
• “Empower and engage people around the world to collect and develop educational content under a free license or in the public domain, and to disseminate it effectively and globally.”
– Wikimedia Foundation
![Page 9: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/9.jpg)
CISSP Guide to Security Essentials 9
Objectives
• Statements of activities or end-states that the organization wishes to achieve.
• Support the organization’s mission and describe how the organization will fulfill its mission.
![Page 10: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/10.jpg)
CISSP Guide to Security Essentials 10
Objectives (cont.)
• Observable and measurable.
• Do not necessarily specify how they will be completed, when, or by whom.
![Page 11: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/11.jpg)
CISSP Guide to Security Essentials 11
Example Objectives
• “Improve security audit results.”
• “Develop a security awareness strategy.”
• “Consolidate computer account provisioning processes.”
![Page 12: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/12.jpg)
CISSP Guide to Security Essentials 12
Goals
• Specify specific accomplishments that will enable the organization to meet its objectives.
• Measurable, observable, objective, support mission and objectives
![Page 13: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/13.jpg)
CISSP Guide to Security Essentials 13
Example Goals
• “Obtain ISO 27001 certification by the end of third quarter.”
• “Reduce development costs by twenty percent in the next fiscal year.”
• “Complete the integration of CRM and ERP systems by the end of November.”
![Page 14: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/14.jpg)
CISSP Guide to Security Essentials 14
Security Support of Mission, Objectives, and Goals
• Influence development of mission, objectives, goals– Become involved in key activities– Risk management provides feedback
![Page 15: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/15.jpg)
CISSP Guide to Security Essentials 15
Risk Management
• “The process of determining the maximum acceptable level of overall risk to and from a proposed activity, then using risk assessment techniques to determine the initial level of risk and, if this is excessive, …”
![Page 16: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/16.jpg)
CISSP Guide to Security Essentials 16
Risk Management
• “…developing a strategy to ameliorate appropriate individual risks until the overall level of risk is reduced to an acceptable level.”
– Wiktionary– Risk assessments– Risk treatment
![Page 17: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/17.jpg)
CISSP Guide to Security Essentials 17
Qualitative Risk Assessment
• For a given scope of assets, identify:– Vulnerabilities– Threats– Threat probability (Low / medium / high)– Impact (Low / medium / high)– Countermeasures
![Page 18: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/18.jpg)
CISSP Guide to Security Essentials 18
Quantitative Risk Assessment
• Extension of a qualitative risk assessment. Metrics for each risk are:– Asset value– Exposure Factor (EF): portion of asset damaged– Single Loss Expectancy (SLE) = Asset ($) x EF (%)
![Page 19: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/19.jpg)
CISSP Guide to Security Essentials 19
Quantitative Risk Assessment
• Metrics (cont.) – Annualized Rate of Occurrence (ARO)
• Probability of loss in a year, %
– Annual Loss Expectancy (ALE) = SLE x ARO
![Page 20: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/20.jpg)
CISSP Guide to Security Essentials 20
Quantifying Countermeasures
• Goal: reduction of ALE (or the qualitative losses)
• Impact of countermeasures:– Cost of countermeasure– Changes in Exposure Factor (EF)– Changes in Single Loss Expectancy (SLE)
![Page 21: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/21.jpg)
CISSP Guide to Security Essentials 21
Geographic Considerations
• Replacement and repair costs of assets may vary by location
• Exposure Factor may vary by location
• Impact may vary by location
![Page 22: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/22.jpg)
CISSP Guide to Security Essentials 22
Risk Assessment Methodologies
• NIST 800-30, Risk Management Guide for Information Technology Systems
• OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation)
![Page 23: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/23.jpg)
CISSP Guide to Security Essentials 23
Risk Assessment Methodologies (cont.)
• FRAP (Facilitated Risk Analysis Process) – qualitative pre-screening
• Spanning Tree Analysis – visual, similar to mind map
![Page 24: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/24.jpg)
CISSP Guide to Security Essentials 24
Risk Treatment
• One or more outcomes from a risk assessment– Risk acceptance
• “yeah, we can live with that”– Risk avoidance
• Discontinue the risk-related activity
![Page 25: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/25.jpg)
CISSP Guide to Security Essentials 25
Risk Treatment (cont.)
• Risk Assessment Outcomes (cont.)– Risk reduction
• Mitigate– Risk transfer
• Buy insurance
![Page 26: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/26.jpg)
CISSP Guide to Security Essentials 26
Security Management Concepts
• Security controls
• CIA Triad
• Defense in depth
• Single points of failure
• Fail open, fail closed
• Privacy
![Page 27: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/27.jpg)
CISSP Guide to Security Essentials 27
Security Controls
• Detective
• Preventive
• Deterrent
• Administrative
• Compensating
(covered in depth in Chapter 3)
![Page 28: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/28.jpg)
CISSP Guide to Security Essentials 28
CIA: Confidentiality, Integrity, Availability
• The three pillars of security: the CIA Triad– Confidentiality: information and functions can be
accessed only by properly authorized parties – Integrity: information and functions can be
added, altered, or removed only by authorized persons and means
![Page 29: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/29.jpg)
CISSP Guide to Security Essentials 29
CIA: Confidentiality, Integrity, Availability
• The CIA Triad (cont.)– Availability: systems, functions, and data must
be available on-demand according to any agreed-upon parameters regarding levels of service
![Page 30: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/30.jpg)
CISSP Guide to Security Essentials 30
Defense in Depth
• A layered defense in which two or more layers or controls are used to protect an asset– Heterogeneity: the different controls should
be different types, so as to better resist attack
![Page 31: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/31.jpg)
CISSP Guide to Security Essentials 31
Defense in Depth
• Layered defense (cont.) – Entire protection: each control completely protects
the asset from most or all threats
![Page 32: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/32.jpg)
CISSP Guide to Security Essentials 32
Defense in Depth (cont.)
• Defense in depth reduces or eliminates the risks associated by single points of failure, fail open, malfunctions, and successful attacks on individual components
![Page 33: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/33.jpg)
CISSP Guide to Security Essentials 33
Single Points of Failure
• A single point of failure (SPOF) is a weakness in a system where the failure of a single component results in the failure of the entire system
![Page 34: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/34.jpg)
CISSP Guide to Security Essentials 34
Fail Open / Fail Closed
• When a security mechanism fails, there are usually two possible outcomes:– Fail open – the mechanism permits all activity– Fail closed – the mechanism blocks all activity
![Page 35: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/35.jpg)
CISSP Guide to Security Essentials 35
Fail Open / Fail Closed (cont.)
• Principles– Different types of failures will have
different results– Both fail open and fail closed
are undesirable, but sometimes one or the other is catastrophic!
![Page 36: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/36.jpg)
CISSP Guide to Security Essentials 36
Privacy
• Defined: the protection and proper handling of sensitive personal information
• Requires proper technology for protection
![Page 37: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/37.jpg)
CISSP Guide to Security Essentials 37
Privacy (cont.)
• Requires appropriate business processes and controls for appropriate handling
• Issues– Inappropriate uses– Unintended disclosures to others
![Page 38: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/38.jpg)
CISSP Guide to Security Essentials 38
Security Management
• Executive oversight
• Governance
• Policy, guidelines, standards, and procedures
• Roles and responsibilities
![Page 39: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/39.jpg)
CISSP Guide to Security Essentials 39
Security Management (cont.)
• Service level agreements
• Secure outsourcing
• Data classification and protection
• Certification and accreditation
• Internal audit
![Page 40: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/40.jpg)
CISSP Guide to Security Essentials 40
Security Executive Oversight
• Support and enforcement of policies
• Allocation of resources
• Prioritization of activities
• Risk treatment
![Page 41: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/41.jpg)
CISSP Guide to Security Essentials 41
Governance
• Defined: “Security governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved…”
![Page 42: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/42.jpg)
CISSP Guide to Security Essentials 42
Governance (cont.)
• “…ascertaining that risks are managed appropriately and verifying that the enterprise's resources are used responsibly.”
– IT Governance Institute
![Page 43: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/43.jpg)
CISSP Guide to Security Essentials 43
Governance (cont.)
• Steering committee oversight
• Resource allocation and prioritization
• Status reporting
• Strategic decisions
• The process and action that supports executive oversight
![Page 44: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/44.jpg)
CISSP Guide to Security Essentials 44
Policies, Requirements, Guidelines, Standards, and
Procedures• Policies: constraints of behavior on
systems and people. Defines what, but not how.
• Requirements: required characteristics of a system or process
![Page 45: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/45.jpg)
CISSP Guide to Security Essentials 45
Policies, Requirements, Guidelines, Standards, and
Procedures (cont.)• Guidelines: defines how to support a
policy
• Standards: what products, technical standards, and methods will be used to support policy
• Procedures: step by step instructions
![Page 46: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/46.jpg)
CISSP Guide to Security Essentials 46
Roles and Responsibilities
• Formally defined in security policy and job descriptions
• These need to be defined:– Ownership of assets– Access to assets– Use of assets– Managers responsible for employee behavior
![Page 47: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/47.jpg)
CISSP Guide to Security Essentials 47
Service Level Agreements
• SLAs define a formal level of service
• SLAs for security activities– Security incident response– Security alert / advisory delivery– Security investigation– Policy and procedure review
![Page 48: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/48.jpg)
CISSP Guide to Security Essentials 48
Secure Outsourcing
• Outsourcing risks– Control of confidential information– Loss of control of business activities– Accountability – the organization that outsources
activities is still accountable for their activities and outcomes
![Page 49: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/49.jpg)
CISSP Guide to Security Essentials 49
Data Classification and Protection
• Components of a classification and protection program– Sensitivity levels
• “confidential”, “restricted”, “secret”, etc.– Marking procedures
• How to indicate sensitivity on various forms of information
![Page 50: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/50.jpg)
CISSP Guide to Security Essentials 50
Data Classification and Protection (cont.)
• Components (cont.)– Access procedures– Handling procedures
• E-mailing, faxing, mailing, printing, transmitting, destruction
![Page 51: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/51.jpg)
CISSP Guide to Security Essentials 51
Certification and Accreditation
• Two-step process for the formal evaluation and approval for use of a system– Certification is the process of evaluating a
system against a set of formal standards, policies, or specifications.
![Page 52: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/52.jpg)
CISSP Guide to Security Essentials 52
Certification and Accreditation (cont.)
• Two-step process (cont.) – Accreditation is the formal approval for
the use of a certified system, for a defined period of time (and possibly other conditions).
![Page 53: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/53.jpg)
CISSP Guide to Security Essentials 53
Internal Audit
• Evaluation of security controls and policies to measure their effectiveness– Performed by internal staff– Objectivity is of vital importance– Formal methodology– Required by some regulations, e.g. Sarbanes Oxley
![Page 54: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/54.jpg)
CISSP Guide to Security Essentials 54
Security Strategies
• Management is responsible for developing the ongoing strategy for security management
![Page 55: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/55.jpg)
CISSP Guide to Security Essentials 55
Security Strategies (cont.)
• Past incidents can help shape the future– Incidents– SLA performance– Certification and accreditation– Internal audit
![Page 56: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/56.jpg)
CISSP Guide to Security Essentials 56
Personnel / Staffing Security
• Hiring practices and procedures
• Periodic performance evaluation
• Disciplinary action policy and procedures
• Termination procedures
![Page 57: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/57.jpg)
CISSP Guide to Security Essentials 57
Hiring Practices and Procedures
• Effective assessment of qualifications
• Background verification (prior employment, education, criminal history, financial history)
• Non-disclosure agreement
• Intellectual property agreement
![Page 58: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/58.jpg)
CISSP Guide to Security Essentials 58
Hiring Practices and Procedures (cont.)
• Employment agreement
• Agreement to abide by all organizational policies
• Formal job descriptions
![Page 59: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/59.jpg)
CISSP Guide to Security Essentials 59
Termination
• Immediate termination of all logical and physical access
• Change passwords known to the employee
• Recovery of all assets
![Page 60: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/60.jpg)
CISSP Guide to Security Essentials 60
Termination (cont.)
• Notification of the termination to affected staff, customers, other third parties
• And possibly: code reviews, review of recent activities prior to the termination
![Page 61: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/61.jpg)
CISSP Guide to Security Essentials 61
Work Practices
• Separation of duties– Designing sensitive processes so that two
or more persons are required to complete them
• Job rotation– Good for cross-training, and also reduces
the likelihood that employees will collude for personal gain
![Page 62: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/62.jpg)
CISSP Guide to Security Essentials 62
Work Practices (cont.)
• Mandatory vacations– Detect / prevent irregularities that violate policy
and practices
![Page 63: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/63.jpg)
CISSP Guide to Security Essentials 63
Security Education, Training, and Awareness
• Training on security policy, guidelines, standards
• Upon hire and periodically thereafter
![Page 64: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/64.jpg)
CISSP Guide to Security Essentials 64
Security Education, Training,and Awareness (cont.)
• Various types of messaging– E-mail, intranet, posters, flyers, trinkets,
training classes
• Testing – to measure employee knowledge of policy and practices
![Page 65: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/65.jpg)
CISSP Guide to Security Essentials 65
Professional Ethics
• (ISC)² code of ethics– Code of Ethics Canons
• Protect society, the commonwealth, and the infrastructure.
• Act honorably, honestly, justly, responsibly, and legally.
![Page 66: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/66.jpg)
CISSP Guide to Security Essentials 66
Professional Ethics (cont.)
• (ISC)² code of ethics (cont.)– Code of Ethics Canons (cont.)
• Provide diligent and competent service to principals.
• Advance and protect the profession.
![Page 67: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/67.jpg)
CISSP Guide to Security Essentials 67
Summary
• An organization’s security program should support its mission, objectives, and goals
• The core principles of information security are confidentiality, integrity, and availability.
![Page 68: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/68.jpg)
CISSP Guide to Security Essentials 68
Summary (cont.)
• Privacy is related to the protection and proper handling of personal information.
• Security governance is the set of responsibilities and practices related to the development of strategic direction and risk management.
![Page 69: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/69.jpg)
CISSP Guide to Security Essentials 69
Summary (cont.)
• Security policies specify the required characteristics of information systems and the required conduct of employees.
• Security roles and responsibilities define the ownership, access, and use of assets, and the general responsibilities of managers and employees.
![Page 70: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/70.jpg)
CISSP Guide to Security Essentials 70
Summary (cont.)
• Data classification and protection defines levels of sensitivity for business information, as well as handling procedures for each level of sensitivity.
• Internal audit is the activity of evaluating security controls and policies to measure their effectiveness.
![Page 71: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/71.jpg)
CISSP Guide to Security Essentials 71
Summary (cont.)
• An organization’s hiring process should include the use of non-disclosure, employment, non-compete, intellectual property, and acceptable use agreements, as well as background checks.
![Page 72: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/72.jpg)
CISSP Guide to Security Essentials 72
Summary (cont.)
• Upon termination of employment, the organization should retrieve all assets issued to the terminated employee and immediately rescind the employee’s access to all information systems.
![Page 73: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/73.jpg)
CISSP Guide to Security Essentials 73
Summary (cont.)
• Sound work practices include separation of duties, job rotation, and mandatory vacations.
• A security education, training, and awareness program should keep employees regularly informed of their expectations.
![Page 74: Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1.](https://reader035.fdocuments.in/reader035/viewer/2022081511/56649e215503460f94b0d8ee/html5/thumbnails/74.jpg)
CISSP Guide to Security Essentials 74
Summary (cont.)
• Security professionals should adhere to a strict code of professional conduct and ethics.