Mike Chapple - (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide

20 Defense in depth is simply the use of multiple controls in a series. No one control can protect against all possible threats. Using a multilayered solution allows for numerous, different controls to guard against whatever threats come to pass. Which of the following are terms that relate to or are based on defense in depth? (Choose all that apply.)LayeringClassificationsZonesRealmsCompartmentsSilosSegmentationsLattice structureProtection rings

THE CISSP EXAM TOPICS COVERED IN THIS CHAPTER INCLUDE:

Domain 1.0: Security and Risk Management1.9 Contribute to and enforce personnel security policies and procedures1.9.1 Candidate screening and hiring1.9.2 Employment agreements and policies1.9.3 Onboarding, transfers, and termination processes1.9.4 Vendor, consultant, and contractor agreements and controls1.9.5 Compliance policy requirements1.9.6 Privacy policy requirements1.10 Understand and apply risk management concepts1.10.1 Identify threats and vulnerabilities1.10.2 Risk assessment/analysis1.10.3 Risk response1.10.4 Countermeasure selection and implementation1.10.5 Applicable types of controls (e.g., preventive, detective, corrective)1.10.6 Control assessments (security and privacy)1.10.7 Monitoring and measurement1.10.8 Reporting1.10.9 Continuous improvement (e.g., Risk maturity modeling)1.10.10 Risk frameworks 1.13 Establish and maintain a security awareness, education, and training program1.13.1 Methods and techniques to present awareness and training (e.g., social engineering, phishing, security champions, gamification)1.13.2 Periodic content reviews1.13.3 Program effectiveness evaluation

The Security and Risk Management domain of the CISSP certification exam deals with many of the foundational elements of security solutions, such as design, implementation, and administration of security mechanisms. Additional elements of this domain are discussed in various chapters: Chapter 1, “Security Governance Through Principles and Policies”; Chapter 3, “Business Continuity Planning”; and Chapter 4, “Laws, Regulations, and Compliance.” Please be sure to review all of these chapters to have a complete perspective on the topics of this domain.

Humans are often considered the weakest element in any security solution. No matter what physical or logical controls are deployed, humans can discover ways to avoid them, circumvent or subvert them, or disable them. Thus, it is important to take into account the humanity of your users when designing and deploying security solutions for your environment. To understand and apply security governance, you must address the weakest link in your security chain—namely, people.

However, people can also become a key security asset when they are properly trained and are motivated to protect not only themselves but the security of the organization as well. It is important to not treat personnel as a problem to be solved, but as people who can become valued partners in a security endeavor.

Issues, problems, and compromises related to humans occur at all stages of a security solution development. This is because humans are involved throughout the development, deployment, and ongoing management of any solution. Therefore, you must evaluate the effect users, designers, programmers, developers, managers, vendors, consultants, and implementers have on the process.

Hiring new staff typically involves several distinct steps: creating a job description or position description , setting a classification for the job, screening employment candidates, and hiring and training someone best suited for the job. Without a job description, there is no consensus on what type of individual should be hired. Any job description for any position within an organization should address relevant security issues, such as whether the position requires the handling of sensitive material or access to classified information. In effect, the job description defines the roles to which an employee needs to be assigned to perform their work tasks. Job roles typically align to a rank or level of privilege, whereas job descriptions map to specifically assigned responsibilities and tasks.

Job responsibilities are the specific work tasks an employee is required to perform on a regular basis. Depending on their responsibilities, employees require access to various objects, resources, and services. Thus, a list of job responsibilities guides the assignment of access rights, permissions, and privileges. On a secured network, users must be granted access privileges for those elements related to their work tasks.

Job descriptions are not used exclusively for the hiring process; they should be maintained throughout the life of the organization. Only through detailed job descriptions can a comparison be made between what a person should be responsible for and what they actually are responsible for. Managers should audit privilege assignments to ensure that workers do not obtain access that is not strictly required for them to accomplish their work tasks.

Employment candidate screening for a specific position is based on the sensitivity and classification defined by the job description. Thus, the thoroughness of the screening process should reflect the security of the position to be filled.

Employment candidate screening, background checks, reference checks, education verification, and security clearance validation are essential elements in proving that a candidate is adequate, qualified, and trustworthy for a secured position. Background checks include obtaining a candidate's work and educational history; checking references; verifying education; interviewing colleagues; checking police and government records for arrests or illegal activities; verifying identity through fingerprints, driver's license, and/or birth certificate; and holding a personal interview. Depending on the job position, this process could also include skill challenges, drug testing, credit checks, checking driving record, and personality testing/evaluation.

Performing online background checks and reviewing the social networking accounts of applicants has become standard practice for many organizations. If a potential employee has posted inappropriate materials online, then they are not as attractive a candidate as those who did not. A general picture of a person's attitude, intelligence, loyalty, common sense, diligence, honesty, respect, consistency, and adherence to social norms and/or corporate culture can be gleaned quickly by viewing a person's online identity. However, it is important to be fully aware of the legal restrictions against discrimination. Various countries have vastly different freedoms or limitations on background checks, especially criminal history research. Always confirm with the legal department before evaluating applicants for a job position.

During the initial applicant review process, the human resources (HR) staff are looking to confirm that a candidate is properly qualified for a job, but they are also on the lookout for issues that would disqualify the applicant.

Interviewing qualified applicants is the next filter to use to eliminate those who are not suited for the job or the organization. When conducting interviews, it is important to have a standardized interview process in order to treat each candidate fairly. Although some aspects of an interview are subjective and based on the interplay of personalities of the candidates and the interviewer, the decision whether or not to hire someone needs to be legally defensible.