Security Risk Management Practice Areas

Questions and Answers

Which security practice area provides a framework for better practice in asset protection and the application of conceptual practices?

• People Security
• Physical Security
• Security Management (correct)
• Information Security

What is the primary goal of integrating physical, people, ICT, and information security practice areas through security management?

• To enhance the individual effectiveness of each security area.
• To reduce the cost of security measures across the organization.
• To ensure compliance with industry-specific regulations.
• To develop a complete Security Risk Management (SRM) strategy. (correct)

Which of the following is a key component of physical security that serves to protect assets from a range of threats?

• Data encryption protocols
• Employee background checks
• Security awareness training programs
• Physical barriers such as fences and bollards (correct)

What is the purpose of structural barriers in physical security, beyond merely enhancing physical protection?

To serve as a psychological deterrent against potential attacks. (C)

In an organization, what is the purpose of 'accompanied access areas' in the context of physical security?

To permit visitors and trusted individuals under controlled conditions, such as escort. (D)

Which component of people security focuses on issues like identity fraud, biometrics, and the protection of sensitive personal information?

Identity security (D)

What does personnel security primarily involve within the realm of people security?

The management of employees and contractors through security clearances and assessments. (D)

What is the significance of 'human factors' in Security Risk Management (SRM)?

They are the principal determinant of security outcomes, capable of reinforcing or undermining SRM. (A)

When hiring for a permanent staff position, what should determine the type of checks required, according to the guidelines on employment checking?

The sensitivity of the assets that the employee will have access to. (D)

What is the main reason for organizations to conduct security awareness and training programs for their staff?

To ensure all employees are aware of the policies and procedures for data privacy and security. (B)

What is the potential impact of uncontrolled software installation on an organization's ICT systems?

It can destabilize system integrity and expose critical files to corruption or disruption. (C)

What is a key consideration when assessing and managing ICT security risks related to equipment obsolescence?

Planned expenditure on software upgrades and acquiring interoperable equipment. (C)

Which aspect of information security ensures that data is provided with proof of delivery and the recipient is provided with proof of the sender's identity?

Authenticity or nonrepudiation (D)

During which stage of the information security life cycle is it most critical for the developer or information owner to classify and mark information?

Creation/Acquisition (D)

Why are security procedures for destruction particularly relevant when dealing with information received from or held on behalf of other parties?

To avoid potential liability from failure to meet requirements for proper destruction or transfer. (B)

What is the primary focus of Business Continuity Management (BCM)?

Developing and applying practices that build resilience and restore capabilities after disruptions. (A)

What is the significance of a business continuity plan?

It's a comprehensive statement of consistent action taken before, during, and after a disaster or outage. (C)

How can effective business continuity management benefit an organization in terms of insurance?

By helping the organization demonstrate proactive risk management to underwriters and insurers. (B)

Under what circumstance might service organizations increasingly be asked to demonstrate their contingency provisions?

By business partners, customers, and stakeholders. (C)

What benefit does demonstrating effective BCM capabilities provide to an organization?

Ability to provide high service levels to clients and customers and win business. (D)

Flashcards

Security Management

A framework for asset protection, applying conceptual practices to ensure SRM areas work individually and as a whole.

Physical Security

Involves the physical protection of personnel, hardware, property, networks, and data from deliberate acts and events.

People Security

Protects people from harm and the organization from people-related threats through vetting and protective practices.

ICT Security

Protects information systems and the data they manage from infiltration, malfunction, or human error.

Information Security

Maintains information securely with controlled access, integrity, availability, utility, authenticity, and control.

Elements of Security Management

Risk management, threat assessments, intelligence gathering, investigations, root cause analysis, administrative controls, and governance arrangements.

Purpose of Physical Barriers

Define perimeter, control access, detect intrusions, and delay unauthorized entry to protect assets.

Categories of Access

Restricted, accompanied, and group access, based on trust and control levels within an organization.

Human Security

Protection of individuals, focusing on safety and well-being from various threats.

Personnel Security

Security-related management of employees and contractors, including clearances, screening, and assessments.

Identity Security

Addresses issues like identity fraud, biometrics, privacy, and protection of personal information.

Personal Protective Practices

Physical, procedural, and conceptual activities to protect personal security, like travel and residential security.

Security Awareness Training

Orientation and training on security policies, procedures, employee responsibilities, and reporting violations.

Protective SRM Principles

Apply to the protection of information technology and communications systems, in a similar way to other types of assets.

ICT Security Threats

Automated attacks, malicious misuse, rogue software, ICT staff unavailability, and obsolescence.

Information Security Life Cycle

The manner in which information is subject to various processes at different times, from creation to destruction.

Business Continuity Management

Developing practices that build resilience, prepare for disruptions, and restore capabilities in organizations.

Elements of Business Continuity Management

Business impact analysis, recovery plans, alternate sites, and existing facilities restoration.

Benefits of Business Continuity Management

Avoid fines, provide continuous services, gain a competitive advantage, and improve insurance terms.

Study Notes

Practice Areas in Security Risk Management (SRM)

• Five practice areas inform security risk management: security, physical, people, information, and Information and Community Technology (ICT) security.

Security Management

• Provides a framework for asset protection and enables all areas of SRM to work individually and collectively.
• Encourages an SRM culture within organizations.
• Outlines a skill set for SRM practitioners.
• Integrates physical, people, ICT, and information security practices.
• Equated with protective security, encompassing conceptual, virtual, and procedural asset protection.
• Consists of risk management, threat assessments, intelligence, investigations, root cause analysis, administrative controls, and governance arrangements.

Physical Security

• Protects personnel, hardware, property, networks, and data from burglary, theft, vandalism, and terrorism.
• Traditional elements like guns, guards, and gates (3Gs) are only a small part of physical security.
• Security plans must encompass physical security.
• Security measures to implement include access control systems, executive protection with background checks, security staff, and integration of physical safety issues.
• Emergency response systems and fire prevention measures are important.
• Physical security needs an understanding of both the internal and external environment.
• Physical barriers like fences, bollards, doors, and screens protect assets.
• Physical barriers can define perimeters, control access, detect unauthorized entry, and delay intrusion.
• Barriers can be natural and structural; structural barriers can deter attacks.
• Barriers should reduce the need for costly security measures (human/technological).
• Organizations need restricted access, accompanied access, and group access areas.
• Hospitals: group access areas in grounds & waiting rooms, accompanied access in emergency treatment, restricted access in pharmacy.

People Security

• Two main goals: protecting people (staff, family, visitors) from harm and protecting organizations from security threats controlled by people (vetting, protective measures).
• Embodies duty of care to staff and visitors and recognizes this group can pose a security threat.
• Vital to an organization’s internal/external operational security and business continuity.
• Considers sociopolitical issues, human security, recruitment, vetting, fraud control, coercion, and corruption.
• Aims to protect against security risks from staff, contractors, visitors and the public.
• Encompasses:
  • Human Security: Protection of individuals.
  • Personnel Security: Security-related management of employees/contractors: security clearances, employment screening, assessment.
  • Identity Security: Addresses identity fraud, biometrics, privacy, and protection of sensitive information.
  • Personal Protective Practices: Physical, procedural and conceptual activities for individual security, like close protection, travel, and residential security.
  • Human Factors: Behaviors are the main determinant of security outcomes, and need good judgement for SRM.
• Personnel Security: A process for ensuring only suitable people can access sensitive resources.
• Effective management includes responsibilities of staff, management, recruitment, and colleagues.
• Evaluate trustworthiness before placing someone in a position of trust.
• Screening alone is not enough.
• Employment checking must include character references and checking CV and qualifications.
• Ongoing psychological evaluations for high-stress roles are also mandatory.
• Maintenance involves access control, records, admin for staff, volunteers, visitors, and contractors.
• Record keeping includes security items (keys, codes, badges, passwords).
• Must safeguard information system assets (laptops, software).
• Revoke access privileges and retrieve sensitive material/hardware upon termination or transfer.
• Provide security awareness and training on policies/procedures for data privacy and data security.
• Large orgs should issue staff with authorization codes and ID.

ICT Security

• The security of information systems critical for a knowledge-based economy.
• Information systems (email, data warehouses, search engines, servers) are vulnerable.
• SRM principles extend to protecting IT and communications.
• All areas are interdependent, especially encryption for ICT security.
• Confidentiality of ICT systems compromised without adequate protection, and security systems may not prevent breaches if infrastructure is poorly secured.
• Threats include network-aware attacks, system misuse, rogue software, ICT staff unavailability.
• Automated attacks from viruses, worms, trojans result in data destruction, theft, and loss of productivity.
• Misuse causes damage to ICT systems and company reputation.
• Uncontrolled software causes instability and data corruption.
• Shortage of ICT staff makes organizations vulnerable.
• Equipment obsolescence is a potential vulnerability.
• Plan software upgrades and acquire interoperable equipment.

Information Security

• Protecting information is an increasing challenge.
• Patent laws do have some level of protection
• Applies for electronic and hard copy info
• Hard copy are more susceptible to damage
• Involves confidentiality, integrity, availability, utility, authenticity, and control/possession.

The Information Security Life Cycle

• Information goes through processes, from creation/acquisition to destruction/acquittal.
• Stages:
  • Creation/Acquisition: Information is made/acquired, and developer marks it.
  • Distribution: Access granted only to authorized people. Methods of transfer risk incorrect or accidental access.
  • Use: Information is used, and personnel must guard against compromise.
  • Storage: When information becomes redundant, it is stored using archiving and electronic storage.
  • Destruction: Information is permanently removed from storage media. Destruction is vital when dealing with national security information or third-party contracts.
  • Acquittal: Records of destruction/transfer are kept, especially for third-party information. Records are a basis for information owners and management.

Business Continuity Management (BCM)

• BCM involves resilience through practices to prepare for disruptions and restore.
• Includes:
  • Business impact analysis: Assessment of the effect a business disruption event may have on business operations performed by the organization
  • Preparation and execution of recovery plans
  • Alternate facilities and sites
  • Restoration or replacement of facilities
• Planning identifies critical functions and minimizes service loss.
• Strategies involve third-party data centers and alternate workspaces.
• It is a continuous activity throughout the organizational lifecycle.
• Addresses extended restoration after immediate responses.
• Ensures business continuity with more than IT solutions.
• Plans are comprehensive pre/post disaster, designed for the worst and should also be flexible when things are more easy to manage (power outage, server errors)
• BCM provides structure, regularity, recovery and benefits such as compliance, improved marketing, and competitive advantage.
• Mandatory requirements are becoming more apparent in some industries which prevent heavy fines.
• BCM demonstrates contingency to potential clients.
• Effective BCM can demonstrate risk management and provide recover to underwriters during insurance claims.