Skip to content

Chapter 2 Personnel Security and Risk Management Concepts

Personnel Security Policies and Procedures

Written Lab

  1. Name six different administrative controls used to secure personnel.

    Job description, principle of least privilege, separation of duties, job responsibilities, job rotation/cross-training, and performance review.

  2. What are the basic formulas or values used in quantitative risk assessment?

    Asset Value ($), Exposure Factor (% loss), Single Loss Expectancy = AV * EF Annualized Rate of Occurance (# / yr) Annualized Loss Expectancy = SLE * ARO or AV * EF * ARO Cost/benefit = (ALE1 - ALE2) - ACS ACS: Anuual Cost of Safeguard

  3. Describe the process or technique used to reach an anonymous consensus during a qualitative risk assessment.

    The Delphi technique is an anonymous feedback-and -response process used to enable a group to reach an anonymous consensus. Its primary purpose is to elicit honest and uninfluenced responses from all participants.

  4. Discuss the need to perform a balanced risk assessment. What are the techniques that can be used and why is this necessary?

    Risk assessment often involves a hybrid approach using both quantitative and qualitative method. A purely quantitative analysis is not possible; not all elements and aspects of the analysis can be quantified because some are qualitative, some are subjective, and some are intangible.

  5. what are the main types of social engineering principles?

    The common social engineering principles are authority, intimidation, consensus, scarcity, familiarity, trust and urgency.

  6. Name several types or methods of social engineering. Possible answers: eliciting information, pretexting, prepending, phishing, spear phishing, etc.

The level of Risk Maturity Model (RMM)

Level 1: ad hoc, RMM is not listed as an option.

Level 2: preliminary

Level 3: defined. A common or standardized risk framework is adopted.

Level 4: Integrated.

Level 5: Optimized.

Seven phases of Risk Management Framework (RMF), mainly about NIST

Referred to NIST SP 800-37

Prepare

Categorize

Select

Implement

Assess

Authorize

Monitor