CISSP CHAPTER 2: PERSONNEL
SECURITY AND RISK MANAGEMENT
CONCEPTS
k_________ are the weakest element in any security solution. - Humans
________ should address security issues and are one of the first ways of doing so. - Job Descriptions
_______ is the security concept in which critical, significant, and sensitive work tasks are divided among
several individual administrators or high-level operators, preventing one person from having the ability
to undermine or subvert vital security mechanisms. Good job descriptions create this. - Separation of
Duties
Separation of duty protects against __________, which is the occurrence of negative activity undertaken
by two or more people, often for the purposes of fraud, theft, or espionage. - Collusion
_________ are the specific work tasks an employee is required to perform on a regular basis. Everything
should be set with the principle of least privilege. - Job responsibilities
________ is simply a means by which an organization improves its overall security. It provides a type of
knowledge redundancy where everyone knows how to help fix problems and reduces the risk of fraud,
data modification, theft, sabotage, or misuse of information. - Job rotation
Often a _________ is signed when an employee is hired to protect confidential information within an
organization from being disclosed by a former employee. - Nondisclosure Agreement (NDA)
Often a _______ is signed when an employee is hired to prevent them from working for a competitor if
they are to be let go. - Noncompete Agreement (NCA)
___________ give time for auditing to make sure employee responsibilities haven't drifted. - Mandatory
vacations
, Key aspects of employee termination - Private with a witness, employee escorted off, all credentials
taken, exit interviews to review the NDA, and termination of their network account.
Vendor, consultant, and contractor controls are used to define the levels of performance, expectation,
compensation, and consequences for entities, persons, or organizations that are external to the primary
organization. Often these controls are defined in a document or policy known as a ________ that
addresses system uptime, maximum consecutive downtime, peak load, average load, responsibility for
diagnostics, and failover time if redundancy is in place. May also include financial/other contractual
remedies if the agreement is not maintained. - Service-Level Agreement
________ is the act of conforming to or adhering to rules, policies, regulations, standards, or
requirements. - Compliance
__________ is the collection of practices related to supporting, defining, and directing the security
efforts of an organization. - Security Governance
_________ is the system of oversight that may be mandated by law, regulation, industry standards,
contractual obligation, or licensing requirements. Often involves an outside investigator or auditor. -
Third-party governance
_________ is the process of reading the exchanged materials and verifying them against standards and
expectations. Typically performed before any on-site inspections. - Documentation review
Bad documents can result in a loss or of a voiding of _________or lead to a temporary one pending
review. - authorization to operate (ATO)
The possibility that something could happen to damage, destroy, or disclose data or other resources is
known as ______. - Risk
_______ is a detailed process of identifying factors that could damage or disclose data, evaluating those
factors in light of data value and countermeasure cost, and implementing cost-effective solutions for
mitigating or reducing risk. - Risk management
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller knowledgeNest. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $9.99. You're not tied to anything after your purchase.