2 cissp ® Official Study Guide Eighth Edition

Understand and Apply Risk Management Concepts 
85
the Nation resulting from the operation of the information system and the 
decision that this risk is acceptable.
■
Monitor
the security controls in the information system on an ongoing basis 
including assessing control effectiveness, documenting changes to the system 
or its environment of operation, conducting security impact analyses of the 
associated changes, and reporting the security state of the system to desig-
nated organizational officials.”
[From NIST SP 800-37]
F I g u R e 2 . 7
The six steps of the risk management framework
There is significantly more detail about RMF in the NIST publication; please review that 
document for a complete perspective on risk frameworks.
The NIST RMF is the primary focus of the CISSP exam, but you might want to review
other risk management frameworks for use in the real world. Please consider operationally 
critical threat, asset, and vulnerability evaluation (OCTAVE), Factor Analysis of Informa-
tion Risk (FAIR), and Threat Agent Risk Assessment (TARA). For further research, you’ll 
find a useful article here: 
www.csoonline.com/article/2125140/metrics-budgets/it-risk-
assessment-frameworks–real-world-experience.html
. Understanding that there are a 
number of well-recognized frameworks and that selecting one that fits your organization’s 
requirements and style is important.

86
Chapter 2 
■
Personnel Security and Risk Management Concepts
Establish and Maintain a Security 
Awareness, Education, and 
Training Program
The successful implementation of a security solution requires changes in user behavior. 
These changes primarily consist of alterations in normal work activities to comply with the 
standards, guidelines, and procedures mandated by the security policy. 
Behavior modifica-
tion
involves some level of learning on the part of the user. To develop and manage security 
education, training, and awareness, all relevant items of knowledge transference must be 
clearly identified and programs of presentation, exposure, synergy, and implementation 
crafted.
A prerequisite to security training is 
awareness
. The goal of creating awareness is to 
bring security to the forefront and make it a recognized entity for users. Awareness estab-
lishes a common baseline or foundation of security understanding across the entire orga-
nization and focuses on key or basic topics and issues related to security that all employees 
must understand and comprehend. Awareness is not exclusively created through a class-
room type of exercise but also through the work environment. Many tools can be used to 
create awareness, such as posters, notices, newsletter articles, screen savers, T-shirts, rally 
speeches by managers, announcements, presentations, mouse pads, office supplies, and 
memos as well as the traditional instructor-led training courses.
Awareness establishes a minimum standard common denominator or foundation of 
security understanding. All personnel should be fully aware of their security responsibilities 
and liabilities. They should be trained to know what to do and what not to do.
The issues that users need to be aware of include avoiding waste, fraud, and unauthor-
ized activities. All members of an organization, from senior management to temporary 
interns, need the same level of awareness. The awareness program in an organization 
should be tied in with its security policy, incident-handling plan, business continuity, and 
disaster recovery procedures. For an awareness-building program to be effective, it must 
be fresh, creative, and updated often. The awareness program should also be tied to an 
understanding of how the corporate culture will affect and impact security for individu-
als as well as the organization as a whole. If employees do not see enforcement of security 
policies and standards, especially at the awareness level, then they may not feel obligated 
to abide by them.

Download 19,3 Mb.

Do'stlaringiz bilan baham: