The information provided below focuses on employee and personnel security and training. Information here will reduce the risk of insider threat.

CISSP Domain 1 – Employee Security

Security Awareness and Training

Performing Security Awareness Training is a way you can implement a learning program to increase security awareness around information security and computer security. The aim of Security awareness training is to change user behaviour and bad security habits and help users recognise threats. It is highly recommended that all organisations implement some form of Security Awareness Training.

Onboarding and Termination Processes

The onboarding process is really important as it sets the tone for their work behavior and is a great place to start setting expectations. Similarly, the termination processes should clarify their obligation to respect the protection of the organization’s intellectual property and security. The security practitioner should be actively engaged with the business to ensure that the proper tone is set for behavior in the workplace.

Nondisclosure agreement (NDA) – an agreement that employees and contractors sign that contains stipulations that the subject should not disclose proprietary/sensitive information before, during, and after working on the project or during employment.  Some new “AKA” terms for a nondisclosure agreements are:

• Confidential disclosure agreements (CDAs)
• Proprietary information agreements (PIAs) 
• Secrecy agreements (SAs)

There are also several types of NDAs to be aware of for the exam.  These are:

• Unilateral NDA.  This is basically a one-way disclosure, meaning that one company is disclosing something, for example a flat file that’s sent to another organization for its own contracted use.
• Multilateral NDA is where you have three or more exchanges happening.
• Non-compete agreement (NCA) is basically an agreement where the subject party says that they won’t use your stuff to become your competition. 

Background checks

Background checks are a must when onboarding a new user into your organisation. Background checks includes criminal records, financial investigation, verifying education and certifications.

Employee Termination

A fair formal termination process includes a progressive discipline (ladder of discipline) process:

• Coaching
• Formal Discussion
• Verbal Warning meeting, with HR attendance
• Written warning meeting, with HR attenance
• Termination

This is fair, and lowers chance of negative reaction. People tend to act more reasonably if they feel they have been treated fairly.

Involuntary termination of employment is an emotionally charged event for all involved. In virtually all cases, an involuntary termination forces the employer to assume the terminated individual is a threat to the organization, and appropriate action should be taken to protect organizational assets. Termination procedures at most organizations include specific processes to notify the information security organization to disable access to electronic and physical systems. Where possible, recovery of property (uniforms, keys, equipment, etc.) that the employee used should be attempted. Where appropriate, the recovered material should be tracked as evidence and retained for subsequent forensic analysis. Finally, once the individual has left the organization, the staff should be informed that the terminated individual is no longer allowed access and that any attempts by that individual to access resources or property should be reported. 

Vendor, Consultant and Contractor Security

Working with vendors and contractors is something that nearly every organization has to do in one form or another. In most cases, they may need to have access to sensitive company data. If this is the case they must be trained and made aware of the risks and should abide by the organisations security policies, procedures and guidelines. Policies in regards to ownership of data and intellectual property should be developed. Clear rules dictating where and when 3rd party may access or store data must be developed.

Job Rotation

Job rotation is the concept of not having one person in one position for a long period of time. The purpose is to prevent a single individual from having too much control. Allowing someone to have total control over certain assets can result in the misuse of information, the possible modification of data, and fraud. By enforcing job rotation, one person might not have the time to build the control that could place information assets at risk.

Acceptable use policy – how we use company assets and software – this also provides notification to employees that their activities are monitored.

Privacy policy – there should be two versions:

• Internal – for employees; stipulates that they must keep data confidential while employed and after employment, and how to handle the data.
• External – for public users; stipulates why data is collected, how it is used, and general information on the privacy tenets covered earlier.  

Outsourcing and offshoring

Outsourcing – Use of a third party to provide IT services at lower cost
Offshoring – Outsourcing to another country
Concerns about offshoring are risks associated with privacy and regulatory issues. ie Australia has no HIPAA, SOX or GLBA.

Approach to security management

Poor security management causes the majority of a company’s security problems. Security needs to be directed and supported by top management, referred to as the top-down approach because, without that, any security efforts will be doomed. Unfortunately, most companies follow a bottom-up approach, where the IT department takes security seriously and attempts to develop a security program. This approach usually will not provide those individuals with the necessary funds, support, resources, or attention. Thus, it is often doomed from the start.

CISSP Domain 1 – Access Control Categories and types

There are 3 Categories of Access control that you need to be made aware of if you are studying the CISSP

Administrative (directive) – Created by following company policy, procedure or regulation. Some examples of administrative controls are:

• Information classification
• Personnel procedures
• Investigations
• Testing
• Security-awareness and training

Technical Control – Software, Hardware, firmware that restricts logical access. Ex Firewalls, routers, encryption. Some technical access control tools worth mentioning are:

• ACLs
• IDS
• Antivirus software
• Dial-up call-back systems
• Alarms and alerts

Physical Control – Implemented with physical devices like locks, fences, gates, security guards.

Some other physical access control components can be:

• Computer controls
• Separation of work area
• Backups of data

Some examples are fences, locks, badge system, security guards, biometric systems, mantrap doors, motion detectors, closed-circuit TVs, alarms, backups, etc.

6 Access Control Types

1. Preventative
2. Detective
3. Recovery
4. Deterrent
5. Corrective
6. Compensating

Preventative

Preventive controls are controls that can used to try and prevent actions from occurring by blocking or stopping someone or something from doing or causing so.

• Firewalls.
• Intrusion Prevention Systems IPS.
• Security Guards.
• Biometric Access Control.
• Using Encryption.
• Video Surveillance.
• Fences.
• Strong Authentication.
• Locks.
• Mantraps.
• Antivirus Software.

Detective

Detective controls are controls that alert during or after a successful attack. A detective controls doesn’t stop or mitigate intrusion attempts; it only identifies and reports them. Examples of this type are:

• Intrusion Detection Systems IDS.
• Alarms.
• Lights.
• Motion Detectors.
• Security Guards.
• Video Surveillance.
• Logs and Audit Trails.
• Enforcing Staff Vacations.

Recovery

Recovery controls take place after a security incident has occurred. Example is reinstallation of OS, or restore from backup.

Recovery controls include:

• Disaster Recovery Site.
• System and Data backups.
• High Availability.

Deterrent

Deterring controls deter users from performing actions on a system.

Deterrent controls include:

• Fences.
• Security Guards.
• Dogs.
• Lights.
• Video Surveillance.
• Alarms.

Corrective

Corrective controls works by “correcting” a damaged system or process. AV works as both detective and corrective by scanning the virus and placing them in quarantine.

Examples for this type are:

• Restoring operating system or data from a recent backup.
• Updating an outdated antivirus.
• Installing a fix.

Compensating

A compensating control is an additional security control put in place to compensate for a weakness in other controls. Example: Surfing illicit website causing an employee to lose his job is an administrative deterrent control. By reviewing logs each day, is a adding a detective compensating control to augment the administrative control.

DATA OWNERSHIP

Data ownership and responsibility has some newer terms since the 2018 refresh.  

• Data Subject – the person who the information is about.
• Data Owner – the entity that collects/creates the PII and is legally responsible and accountable for protecting it and educating others about how to protect the data through dissemination of intellectual property rights documentation, policies and regulatory requirements, specific protective measures that are expected of custodians, and compliance requirements.
• Data Controller – same as data owner when a true data owner does not exist.
• Data Processor – typically an entity that works under the direction of the owner/controller, such as an IT department.
• Data Custodian – the role within the processing entity (IT department) that handles the data daily.
• Data Steward – a newer concept related to users of the data; those who use the data for the business purpose.