risk management process. The RMM levels are ad hoc, preliminary, defined, integrated, and optimized.
Know about legacy system security risk. Legacy systems are often a threat because they may not be receiving security updates from their vendors. End-of-life (EOL) is the point at which a manufacturer no longer produces a product. End-of-service-life (EOSL) or end-of-support (EOS) are those that are no longer receiving updates and support from the vendor.
Know about risk frameworks. A risk framework is a guideline or recipe for how risk is to be assessed, resolved, and monitored. The primary example of a risk framework referenced by the CISSP exam is the Risk Management Framework (RMF) defined by NIST in SP 800-37 Rev. 2. Others include ISO/IEC 31000, ISO/IEC 31004, COSO, Risk IT, OCTAVE, FAIR, and TARA.
Understand social engineering. Social engineering is a form of attack that exploits human nature and human behavior. The common social engineering principles are authority, intimidation, consensus, scarcity, familiarity, trust, and urgency. Such attacks may be used to elicit information or gain access through the use of pretexting and/or prepending. Social engineering attacks include phishing, spear phishing, business email compromise (BEC), whaling, smishing, vishing, spam, shoulder surfing, invoice scams, hoaxes, impersonation, masquerading, tailgating, piggybacking, dumpster diving, identity fraud, typo squatting, and influence campaigns.
Know how to implement security awareness training and education. Before actual training can take place, awareness of security as a recognized entity must be created for users. Once this is accomplished, training, or teaching employees to perform their work tasks and to comply with the security policy, can begin. All new employees require some level of training so that they will be able to comply with all standards, guidelines, and procedures mandated by the security policy. Education is a more detailed endeavor in which students/users learn much more than they actually need to know to perform their work tasks. Education is most often associated with users pursuing certification or seeking job promotion.
Know about security champions. Often a security champion is a member of a group who decides (or is assigned) to take charge of leading the adoption and integration of security concepts into the group's work activities. Security champions are often non-security employees who take up the mantle to encourage others to support and adopt more security practices and behaviors.
Understand gamification. Gamification is a means to encourage compliance and engagement by integrating common elements of game play into other activities, such as security compliance and behavior change.
Know about the need for periodic content reviews and effectiveness evaluations. It is important to perform periodic content reviews of all training materials. This is to ensure that the training materials and presentation stays in line with business goals, organizational mission, and security objectives. Some means of verification should be used to measure whether the training is beneficial or a waste of time and resources.
Written Lab
1 Name six different administrative controls used to secure personnel.
2 What are the basic formulas or values used in quantitative risk assessment?
3 Describe the process or technique used to reach an anonymous consensus during a qualitative risk assessment.
4 Discuss the need to perform a balanced risk assessment. What are the techniques that can be used and why is this necessary?
5 What are the main types of social engineering principles?
6 Name several types or methods of social engineering.
Review Questions
1 You have been tasked with overseeing the security improvement project for your organization. The goal is to reduce the current risk profile to a lower level without spending considerable amounts of money. You decide to focus on the largest concern mentioned by your CISO. Which of the following is likely the element of the organization that is considered the weakest?Software productsInternet connectionsSecurity policiesHumans
2 Due to recent organization restructuring, the CEO believes that new workers should be hired to perform necessary work tasks and support the mission and goals of the organization. When seeking to hire new employees, what is the first step?Create a job description.Set position classification.Screen candidates.Request résumés.
3 _________________ is the process of adding new employees to the organization, having them review and sign policies, be introduced to managers and coworkers, and be trained in employee operations and logistics.ReissueOnboardingBackground checksSite survey
4 After repeated events of retraining, a particular worker was caught for the fourth time attempting to access documents that were not relevant to their job position. The CSO decides this was the last chance and the worker is to be fired. The CSO reminds you that the organization has a formal termination process that should be followed. Which of the following is an important task to perform during the termination procedure to reduce future security issues related to this ex-employee?Return the exiting employee's personal belongings.Review the nondisclosure agreement.Evaluate the exiting employee's performance.Cancel the exiting employee's parking permit.
5 Which of the following is a true statement in regard to vendor, consultant, and contractor controls?Using business email compromise (BEC) is a means to ensure that organizations providing services maintain an appropriate level of service agreed on by the service provider, vendor, or contractor and the customer organization.Outsourcing can be used as a risk response option known as acceptance or appetite.Multiparty risk exists when several entities or organizations are involved in a project. The risk or threats are often due to the variations of objectives, expectations, timelines, budgets, and security priorities of those involved.Risk management strategies implemented by one party do not cause additional risks against or from another party.
6 Match the term to its definition:AssetThreatVulnerabilityExposureRiskThe weakness in an asset, or the absence or the weakness of a safeguard or countermeasure.Anything used in a business process or task.Being susceptible to asset loss because of a threat; there is the possibility that a vulnerability can or will be exploited.The possibility or likelihood that a threat will exploit a vulnerability to cause harm to an asset and the severity of damage that could result.Any potential occurrence that may cause an undesirable or unwanted outcome for an organization or for a specific asset.1-II, 2-V, 3-I, 4-III, 5-IV1-I, 2-II, 3-IV, 4-II, 5-V1-II, 2-V, 3-I, 4-IV, 5-III1-IV, 2-V, 3-III, 4-II, 5-I
7 While performing a risk analysis, you identify a threat of fire and a vulnerability of things being flammable because there are no fire extinguishers. Based on this information, which of the following is a possible risk?Virus infectionDamage to equipmentSystem malfunctionUnauthorized access to confidential information
8 During a meeting of company leadership and the security team, discussion focuses on defining the value of assets in dollars, inventorying threats, predicting the specific amount of harm of a breach, and determining the number of times a threat could cause harm to the company each year. What is being performed?Qualitative risk assessmentDelphi techniqueRisk avoidanceQuantitative risk assessment
9 You have performed a risk assessment and determined the threats that represent the most significant concern to your organization. When evaluating safeguards, what is the rule that should be followed in most cases?The expected annual cost of asset loss should not exceed the annual costs of safeguards.The annual costs of safeguards should equal the value of the asset.The annual costs of safeguards should not exceed the expected annual cost of asset value loss.The annual costs of safeguards should not exceed 10 percent of
