After reviewing chapter 2 and the Identify Threats and Vulnerabilities,?? compose a 5-7 page APA-formatted report, providing in-depth risk analysis and the result of an ‘undetected online s

61

Chap ter 2 Per son nel Se cu rity and Risk Man age ment Con cepts

THE CISSP EXAM TOP ICS COV ERED IN THIS CHAP TER IN CLUDE:

Do main 1: Se cu rity and Risk Man age ment 1.8 Con trib ute to and en force per son nel se cu rity poli cies and pro ce dures

1.8.1 Can di date screen ing and hir ing

1.8.2 Em ploy ment agree ments and poli cies

1.8.3 On board ing and ter mi na tion pro cesses

1.8.4 Ven dor, con sul tant, and con trac tor agree ments and con trols

1.8.5 Com pli ance pol icy re quire ments

1.8.6 Pri vacy pol icy re quire ments

1.9 Un der stand and ap ply risk man age ment con cepts

1.9.1 Iden tify threats and vul ner a bil i ties

1.9.2 Risk as sess ment/anal y sis

1.9.3 Risk re sponse

1.9.4 Coun ter mea sure se lec tion and im ple men ta tion

1.9.5 Ap pli ca ble types of con trols (e.g., pre ven tive, de tec tive, cor rec tive)

1.9.6 Se cu rity Con trol As sess ment (SCA)

1.9.7 Mon i tor ing and mea sure ment

1.9.8 As set val u a tion

1.9.9 Re port ing

1.9.10 Con tin u ous im prove ment

1.9.11 Risk frame works

1.12 Es tab lish and main tain a se cu rity aware ness, ed u ca tion, and train ing pro gram

1.12.1 Meth ods and tech niques to present aware ness and train ing

1.12.2 Pe ri odic con tent re views

1.12.3 Pro gram ef fec tive ness eval u a tion

Do main 6: Se cu rity As sess ment and Test ing 6.3.5 Train ing and aware ness

The Se cu rity and Risk Man age ment do main of the Com mon Body of Knowl edge (CBK) for the CISSP cer ti fi ca tion exam deals with many of the foun da tional el e ments of se cu rity so lu tions. These in clude el e ments es sen tial to the de sign, im ple men ta tion, and ad min is tra tion of se cu rity mech a nisms.

Ad di tional el e ments of this do main are dis cussed in var i ous chap ters: Chap ter 1, “Se cu rity Gov er nance Through Prin ci ples and Poli cies”; Chap ter 3, “Busi ness Con ti nu ity Plan ning”; and Chap ter 4, “Laws, Reg u la tions, and Com pli ance.” Please be sure to re view all of these chap ters to have a com plete per spec tive on the top ics of this do main.

Be cause of the com plex ity and im por tance of hard ware and soft ware con trols, se cu rity man age ment for em ploy ees is of ten over looked in over all se cu rity plan ning. This chap ter ex plores the hu man side of se cu rity, from es tab lish ing se cure hir ing prac tices and job de scrip tions to de vel op ing an em ployee in fra struc ture. Ad di tion ally, we look at how em ployee train ing, man age ment, and ter mi na tion prac tices are con sid ered an in te gral part of cre at ing a se cure en vi ron ment. Fi nally, we ex am ine how to as sess and man age se cu rity risks.

62

Per son nel Se cu rity Poli cies and Pro ce dures Hu mans are the weak est el e ment in any se cu rity so lu tion. No mat ter what phys i cal or log i cal con trols are

de ployed, hu mans can dis cover ways to avoid them, cir cum vent or sub vert them, or dis able them. Thus, it is im por tant to take into ac count the hu man ity of your users when de sign ing and de ploy ing se cu rity so lu tions for your en vi ron ment. To un der stand and ap ply se cu rity gov er nance, you must ad dress the weak est link in your se cu rity chain—namely, peo ple.

Is sues, prob lems, and com pro mises re lated to hu mans oc cur at all stages of a se cu rity so lu tion de vel op ment. This is be cause hu mans are in volved through out the de vel op ment, de ploy ment, and on go ing ad min is tra tion of any so lu tion. There fore, you must eval u ate the ef fect users, de sign ers, pro gram mers, de vel op ers, man agers, and im ple menters have on the process.

Hir ing new staff typ i cally in volves sev eral dis tinct steps: cre at ing a job de scrip tion or po si tion de scrip tion, set ting a clas si fi ca tion for the job, screen ing em ploy ment can di dates, and hir ing and train ing the one best suited for the job. With out a job de scrip tion, there is no con sen sus on what type of in di vid ual should be hired. Thus, craft ing job de scrip tions is the first step in defin ing se cu rity needs re lated to per son nel and be ing able to seek out new hires. Some or ga ni za tions rec og nize a dif fer ence be tween a role de scrip tion and a job de scrip tion. Roles typ i cally align to a rank or level of priv i lege, while job de scrip tions map to specif i cally as signed re spon si bil i ties and tasks.

Per son nel should be added to an or ga ni za tion be cause there is a need for their spe cific skills and ex pe ri ence. Any job de scrip tion for any po si tion within an or ga ni za tion should ad dress rel e vant se cu rity is sues. You must con sider items such as whether the po si tion re quires the han dling of sen si tive ma te rial or ac cess to clas si fied in for ma tion. In ef fect, the job de scrip tion de fines the roles to which an em ployee needs to be as signed to per form their work tasks. The job de scrip tion should de fine the type and ex tent of ac cess the po si tion re quires on the se cured net work. Once these is sues have been re solved, as sign ing a se cu rity clas si fi ca tion to the job de scrip tion is fairly stan dard.

The Im por tance of Job De scrip tions

Job de scrip tions are im por tant to the de sign and sup port of a se cu rity so lu tion. How ever, many or ga ni za tions ei ther have over looked this or have al lowed job de scrip tions to be come stale and out-of- sync with re al ity. Try to track down your job de scrip tion. Do you even have one? If so, when was it last up dated? Does it ac cu rately re flect your job? Does it de scribe the type of se cu rity ac cess you need to per form the pre scribed job re spon si bil i ties? Some or ga ni za tions must craft job de scrip tions to be in com pli ance with Ser vice Or ga ni za tion Con trol (SOC) 2, while oth ers fol low ing ISO 27001 re quire an nual re views of job de scrip tions.

Im por tant el e ments in con struct ing job de scrip tions that are in line with or ga ni za tional pro cesses in clude sep a ra tion of du ties, job re spon si bil i ties, and job ro ta tion.

Sep a ra tion of Du ties Sep a ra tion of du ties is the se cu rity con cept in which crit i cal, sig nif i cant, and sen si tive work tasks are di vided among sev eral in di vid ual ad min is tra tors or high-level op er a tors (Fig ure 2.1). This pre vents any one per son from hav ing the abil ity to un der mine or sub vert vi tal se cu rity mech a nisms. Think of sep a ra tion of du ties as the ap pli ca tion of the prin ci ple of least priv i lege to ad min is tra tors. Sep a ra tion of du ties is also a pro tec tion against col lu sion. Col lu sion is the oc cur rence of neg a tive ac tiv ity un der taken by two or more peo ple, of ten for the pur poses of fraud, theft, or es pi onage. By lim it ing the pow ers of in di vid u als, sep a ra tion of du ties re quires em ploy ees to work with oth ers to com mit larger vi o la tions. The act of find ing oth ers to as sist in a vi o la tion and then the ac tions to per form that vi o la tion are more likely to leave be hind ev i dence and be de tectible, which di rectly re duces the oc cur rence of col lu sion (via de ter rence, the chance that they might get caught). Thus, col lu sion is dif fi cult and in creases risk to the ini tia tor prior to the com mis sion of the act.

63

FIG URE 2.1 An ex am ple of sep a ra tion of du ties re lated to five ad min tasks and seven ad min is tra tors

Job Re spon si bil i ties Job re spon si bil i ties are the spe cific work tasks an em ployee is re quired to per form on a reg u lar ba sis. De pend ing on their re spon si bil i ties, em ploy ees re quire ac cess to var i ous ob jects, re sources, and ser vices. On a se cured net work, users must be granted ac cess priv i leges for those el e ments re lated to their work tasks. To main tain the great est se cu rity, ac cess should be as signed ac cord ing to the prin ci ple of least priv i lege. The prin ci ple of least priv i lege states that in a se cured en vi ron ment, users should be granted the min i mum amount of ac cess nec es sary for them to com plete their re quired work tasks or job re spon si bil i ties. True ap pli ca tion of this prin ci ple re quires low-level gran u lar con trol over all re sources and func tions.

Job Ro ta tion Job ro ta tion, or ro tat ing em ploy ees among mul ti ple job po si tions, is sim ply a means by which an or ga ni za tion im proves its over all se cu rity (Fig ure 2.2). Job ro ta tion serves two func tions. First, it pro vides a type of knowl edge re dun dancy. When mul ti ple em ploy ees are all ca pa ble of per form ing the work tasks re quired by sev eral job po si tions, the or ga ni za tion is less likely to ex pe ri ence se ri ous down time or loss in pro duc tiv ity if an ill ness or other in ci dent keeps one or more em ploy ees out of work for an ex tended pe riod of time.

FIG URE 2.2 An ex am ple of job ro ta tion among man age ment po si tions

Sec ond, mov ing per son nel around re duces the risk of fraud, data mod i fi ca tion, theft, sab o tage, and mis use of in for ma tion. The longer a per son works in a spe cific po si tion, the more likely they are to be as signed ad di tional work tasks and thus ex pand their priv i leges and ac cess. As a per son be comes in creas ingly fa mil iar with their work tasks, they may abuse their priv i leges for per sonal gain or mal ice. If mis use or abuse is com mit ted by one em ployee, it will be eas ier to de tect by an other em ployee who knows the job po si tion and work re spon si bil i ties. There fore, job ro ta tion also pro vides a form of peer au dit ing and pro tects against col lu sion.

Job ro ta tion re quires that se cu rity priv i leges and ac cesses be re viewed to main tain the prin ci ple of least priv i lege. One con cern with job ro ta tion, cross-train ing, and long-ten ure em ploy ees is their con tin ued

64

col lec tion of priv i leges and ac cesses, many of which they no longer need. The as sign ment of priv i leges, per mis sions, rights, ac cess, and so on, should be pe ri od i cally re viewed to check for priv i lege creep or mis align ment with job re spon si bil i ties. Priv i lege creep oc curs when work ers ac cu mu late priv i leges over time as their job re spon si bil i ties change. The end re sult is that a worker has more priv i leges than the prin ci ple of least priv i lege would dic tate based on that in di vid ual’s cur rent job re spon si bil i ties.

Cross-train ing

Cross-train ing is of ten dis cussed as an al ter na tive to job ro ta tion. In both cases, work ers learn the re spon si bil i ties and tasks of mul ti ple job po si tions. How ever, in cross-train ing the work ers are just pre pared to per form the other job po si tions; they are not ro tated through them on a reg u lar ba sis. Cross- train ing en ables ex ist ing per son nel to fill the work gap when the proper em ployee is un avail able as a type of emer gency re sponse pro ce dure.

When sev eral peo ple work to gether to per pe trate a crime, it’s called col lu sion. Em ploy ing the prin ci ples of sep a ra tion of du ties, re stricted job re spon si bil i ties, and job ro ta tion re duces the like li hood that a co-worker will be will ing to col lab o rate on an il le gal or abu sive scheme be cause of the higher risk of de tec tion. Col lu sion and other priv i lege abuses can be re duced through strict mon i tor ing of spe cial priv i leges, such as those of an ad min is tra tor, backup op er a tor, user man ager, and oth ers.

Job de scrip tions are not used ex clu sively for the hir ing process; they should be main tained through out the life of the or ga ni za tion. Only through de tailed job de scrip tions can a com par i son be made be tween what a per son should be re spon si ble for and what they ac tu ally are re spon si ble for. It is a man age rial task to en sure that job de scrip tions over lap as lit tle as pos si ble and that one worker’s re spon si bil i ties do not drift or en croach on those of an other. Like wise, man agers should au dit priv i lege as sign ments to en sure that work ers do not ob tain ac cess that is not strictly re quired for them to ac com plish their work tasks.

Can di date Screen ing and Hir ing Em ploy ment can di date screen ing for a spe cific po si tion is based on the sen si tiv ity and clas si fi ca tion

de fined by the job de scrip tion. The sen si tiv ity and clas si fi ca tion of a spe cific po si tion is de pen dent on the level of harm that could be caused by ac ci den tal or in ten tional vi o la tions of se cu rity by a per son in the po si tion. Thus, the thor ough ness of the screen ing process should re flect the se cu rity of the po si tion to be filled.

Em ploy ment can di date screen ing, back ground checks, ref er ence checks, ed u ca tion ver i fi ca tion, and se cu rity clear ance val i da tion are es sen tial el e ments in prov ing that a can di date is ad e quate, qual i fied, and trust wor thy for a se cured po si tion. Back ground checks in clude ob tain ing a can di date’s work and ed u ca tional his tory; check ing ref er ences; ver i fy ing ed u ca tion; in ter view ing col leagues, neigh bors, and friends; check ing po lice and gov ern ment records for ar rests or il le gal ac tiv i ties; ver i fy ing iden tity through fin ger prints, driver’s li cense, and birth cer tifi cate; and hold ing a per sonal in ter view. This process could also in clude a poly graph test, drug test ing, and per son al ity test ing/eval u a tion.

Per form ing on line back ground checks and re view ing the so cial net work ing ac counts of ap pli cants has be come stan dard prac tice for many or ga ni za tions. If a po ten tial em ployee has posted in ap pro pri ate ma te ri als to their photo shar ing site, so cial net work ing bi ogra phies, or pub lic in stant mes sag ing ser vices, then they are not as at trac tive a can di date as those who did not. Our ac tions in the pub lic eye be come per ma nent when they are recorded in text, photo, or video and then posted on line. A gen eral pic ture of a per son’s at ti tude, in tel li gence, loy alty, com mon sense, dili gence, hon esty, re spect, con sis tency, and ad her ence to so cial norms and/or cor po rate cul ture can be gleaned quickly by view ing a per son’s on line iden tity.

Em ploy ment Agree ments and Poli cies When a new em ployee is hired, they should sign an em ploy ment agree ment. Such a doc u ment out lines the

rules and re stric tions of the or ga ni za tion, the se cu rity pol icy, the ac cept able use and ac tiv i ties poli cies, de tails of the job de scrip tion, vi o la tions and con se quences, and the length of time the po si tion is to be filled by the em ployee. These items might be sep a rate doc u ments. In such a case, the em ploy ment agree ment is used to ver ify that the em ploy ment can di date has read and un der stood the as so ci ated doc u men ta tion for their prospec tive job po si tion.

In ad di tion to em ploy ment agree ments, there may be other se cu rity-re lated doc u men ta tion that must be ad dressed. One com mon doc u ment is a nondis clo sure agree ment (NDA). An NDA is used to pro tect the con fi den tial in for ma tion within an or ga ni za tion from be ing dis closed by a for mer em ployee. When a per son signs an NDA, they agree not to dis close any in for ma tion that is de fined as con fi den tial to any one out side the or ga ni za tion. Vi o la tions of an NDA are of ten met with strict penal ties.

65

 NCA: The NDA’s Evil Sib ling

The NDA has a com mon com pan ion con tract known as the non com pete agree ment (NCA). The non com pete agree ment at tempts to pre vent an em ployee with spe cial knowl edge of se crets from one or ga ni za tion from work ing in a com pet ing or ga ni za tion in or der to pre vent that sec ond or ga ni za tion from ben e fit ing from the worker’s spe cial knowl edge of se crets. NCAs are also used to pre vent work ers from jump ing from one com pany to an other com pet ing com pany just be cause of salary in creases or other in cen tives. Of ten NCAs have a time limit, such as six months, one year, or even three years. The goal is to al low the orig i nal com pany to main tain its com pet i tive edge by keep ing its hu man re sources work ing for its ben e fit rather than against it.

Many com pa nies re quire new hires to sign NCAs. How ever, fully en forc ing an NCA in court is of ten a dif fi cult bat tle. The court rec og nizes the need for a worker to be able to work us ing the skills and knowl edge they have in or der to pro vide for them selves and their fam i lies. If the NCA would pre vent a per son from earn ing a rea son able in come, the courts of ten in val i date the NCA or pre vent its con se quences from be ing re al ized.

Even if an NCA is not al ways en force able in court, how ever, that does not mean it doesn’t have ben e fits to the orig i nal com pany, such as the fol low ing:

The threat of a law suit be cause of NCA vi o la tions is of ten suf fi cient in cen tive to pre vent a worker from vi o lat ing the terms of se crecy when they seek em ploy ment with a new com pany.

If a worker does vi o late the terms of the NCA, then even with out specif i cally de fined con se quences be ing levied by court re stric tions, the time and ef fort, not to men tion the cost, of bat tling the is sue in court is a de ter rent.

Did you sign an NCA when you were hired? If so, do you know the terms and the po ten tial con se quences if you break that NCA?

Through out the em ploy ment life time of per son nel, man agers should reg u larly au dit the job de scrip tions, work tasks, priv i leges, and re spon si bil i ties for ev ery staff mem ber. It is com mon for work tasks and priv i leges to drift over time. This can cause some tasks to be over looked and oth ers to be per formed mul ti ple times. Drift ing or priv i lege creep can also re sult in se cu rity vi o la tions. Reg u larly re view ing the bound aries of each job de scrip tion in re la tion to what is ac tu ally oc cur ring aids in keep ing se cu rity vi o la tions to a min i mum.

A key part of this re view process is en forc ing manda tory va ca tions. In many se cured en vi ron ments, manda tory va ca tions of one to two weeks are used to au dit and ver ify the work tasks and priv i leges of em ploy ees. The va ca tion re moves the em ployee from the work en vi ron ment and places a dif fer ent worker in their po si tion, which makes it eas ier to de tect abuse, fraud, or neg li gence on the part of the orig i nal em ployee.

On board ing and Ter mi na tion Pro cesses On board ing is the process of adding new em ploy ees to the iden tity and ac cess man age ment (IAM) sys tem

of an or ga ni za tion. The on board ing process is also used when an em ployee’s role or po si tion changes or when that per son is awarded ad di tional lev els of priv i lege or ac cess.

Off board ing is the re verse of this process. It is the re moval of an em ployee’s iden tity from the IAM sys tem once that per son has left the or ga ni za tion. This can in clude dis abling and/or delet ing the user ac count, re vok ing cer tifi cates, can cel ing ac cess codes, and ter mi nat ing other specif i cally granted priv i leges. This may also in clude in form ing se cu rity guards and other phys i cal ac cess man age ment per son nel to dis al low en try into the build ing to the per son in the fu ture.

The pro ce dures for on board ing and off board ing should be clearly doc u mented in or der to en sure con sis tency of ap pli ca tion as well as com pli ance with reg u la tions or con trac tual obli ga tions.

On board ing can also re fer to or ga ni za tional so cial iza tion. This is the process by which new em ploy ees are trained in or der to be prop erly pre pared for per form ing their job re spon si bil i ties. It can in clude train ing, job skill ac qui si tion, and be hav ioral adap ta tion in an ef fort to in te grate em ploy ees ef fi ciently into ex ist ing or ga ni za tional pro cesses and pro ce dures. Well-de signed on board ing can re sult in higher lev els of job sat is fac tion, higher lev els of pro duc tiv ity, faster in te gra tion with ex ist ing work ers, a rise in or ga ni za tional loy alty, stress re duc tion, and a de creased oc cur rence of res ig na tion. An other ben e fit of well-de signed on board ing, in the con text of sep a ra tion of du ties and job re spon si bil i ties, is that it ap plies the prin ci ple of least priv i lege as pre vi ously dis cussed.

When an em ployee must be ter mi nated or off boarded, nu mer ous is sues must be ad dressed. A strong re la tion ship be tween the se cu rity de part ment and hu man re sources (HR) is es sen tial to main tain con trol and

66

min i mize risks dur ing ter mi na tion. An em ployee ter mi na tion process or pro ce dure pol icy is es sen tial to main tain ing a se cure en vi ron ment when a dis grun tled em ployee must be re moved from the or ga ni za tion. The re ac tions of ter mi nated em ploy ees can range from calm, un der stand ing ac cep tance to vi o lent, de struc tive rage. A sen si ble pro ce dure for han dling ter mi na tions must be de signed and im ple mented to re duce in ci dents.

The ter mi na tion of an em ployee should be han dled in a pri vate and re spect ful man ner. How ever, this does not mean that pre cau tions should not be taken. Ter mi na tions should take place with at least one wit ness, prefer ably a higher-level man ager and/or a se cu rity guard. Once the em ployee has been in formed of their re lease, they should be es corted off the premises and not al lowed to re turn to their work area with out an es cort for any rea son. Be fore the em ployee is re leased, all or ga ni za tion-spe cific iden ti fi ca tion, ac cess, or se cu rity badges as well as cards, keys, and ac cess to kens should be col lected (Fig ure 2.3). Gen er ally, the best time to ter mi nate an em ployee is at the end of their shift mid week. An early to mid week ter mi na tion pro vides the ex-em ployee with time to file for un em ploy ment and/or start look ing for new em ploy ment be fore the week end. Also, end-of-shift ter mi na tions al low the worker to leave with other em ploy ees in a more nat u ral de par ture, thus re duc ing stress.

FIG URE 2.3 Ex-em ploy ees must re turn all com pany prop erty

When pos si ble, an exit in ter view should be per formed. How ever, this typ i cally de pends on the men tal state of the em ployee upon re lease and nu mer ous other fac tors. If an exit in ter view is un fea si ble im me di ately upon ter mi na tion, it should be con ducted as soon as pos si ble. The pri mary pur pose of the exit in ter view is to re view the li a bil i ties and re stric tions placed on the for mer em ployee based on the em ploy ment agree ment, nondis clo sure agree ment, and any other se cu rity-re lated doc u men ta tion.

The fol low ing list in cludes some other is sues that should be han dled as soon as pos si ble:

Make sure the em ployee re turns any or ga ni za tional equip ment or sup plies from their ve hi cle or home.

Re move or dis able the em ployee’s net work user ac count.

No tify hu man re sources to is sue a fi nal pay check, pay any un used va ca tion time, and ter mi nate ben e fit cov er age.

Ar range for a mem ber of the se cu rity de part ment to ac com pany the re leased em ployee while they gather their per sonal be long ings from the work area.

In form all se cu rity per son nel and any one else who watches or mon i tors any en trance point to en sure that the ex-em ployee does not at tempt to reen ter the build ing with out an es cort.

In most cases, you should dis able or re move an em ployee’s sys tem ac cess at the same time as or just be fore they are no ti fied of be ing ter mi nated. This is es pe cially true if that em ployee is ca pa ble of ac cess ing con fi den tial data or has the ex per tise or ac cess to al ter or dam age data or ser vices. Fail ing to re strict re leased em ploy ees’ ac tiv i ties can leave your or ga ni za tion open to a wide range of vul ner a bil i ties, in clud ing theft and de struc tion of both phys i cal prop erty and log i cal data.

67

 Fir ing: Not Just a Pink Slip Any more

Fir ing an em ployee has be come a com plex process. Gone are the days of fir ing merely by plac ing a pink slip in an em ployee’s mail slot. In most IT-cen tric or ga ni za tions, ter mi na tion can cre ate a sit u a tion in which the em ployee could cause harm, putting the or ga ni za tion at risk. That’s why you need a well- de signed exit in ter view process.

How ever, just hav ing the process isn’t enough. It has to be fol lowed cor rectly ev ery time. Un for tu nately, this doesn’t al ways hap pen. You might have heard of some fi asco caused by a botched ter mi na tion pro ce dure. Com mon ex am ples in clude per form ing any of the fol low ing be fore the em ployee is of fi cially in formed of their ter mi na tion (thus giv ing the em ployee prior warn ing of their ter mi na tion):

The in for ma tion tech nol ogy (IT) de part ment re quest ing the re turn of a note book com puter

Dis abling a net work ac count

Block ing a per son’s per sonal iden ti fi ca tion num ber (PIN) or smart card for build ing en trance

Re vok ing a park ing pass

Dis tribut ing a com pany re or ga ni za tion chart

Po si tion ing a new em ployee in the cu bi cle

Al low ing lay off in for ma tion to be leaked to the me dia

It should go with out say ing that in or der for the exit in ter view and safe ter mi na tion pro cesses to func tion prop erly, they must be im ple mented in the cor rect or der and at the cor rect time (that is, at the start of the exit in ter view), as in the fol low ing ex am ple:

In form the per son that they are re lieved of their job.

Re quest the re turn of all ac cess badges, keys, and com pany equip ment.

Dis able the per son’s elec tronic ac cess to all as pects of the or ga ni za tion.

Re mind the per son about the NDA obli ga tions.

Es cort the per son off the premises.

Ven dor, Con sul tant, and Con trac tor Agree ments and Con trols Ven dor, con sul tant, and con trac tor con trols are used to de fine the lev els of per for mance, ex pec ta tion,

com pen sa tion, and con se quences for en ti ties, per sons, or or ga ni za tions that are ex ter nal to the pri mary or ga ni za tion. Of ten these con trols are de fined in a doc u ment or pol icy known as a ser vice-level agree ment (SLA).

Us ing SLAs is an in creas ingly pop u lar way to en sure that or ga ni za tions pro vid ing ser vices to in ter nal and/or ex ter nal cus tomers main tain an ap pro pri ate level of ser vice agreed on by both the ser vice provider and the ven dor. It’s a wise move to put SLAs in place for any data cir cuits, ap pli ca tions, in for ma tion pro cess ing sys tems, data bases, or other crit i cal com po nents that are vi tal to your or ga ni za tion’s con tin ued vi a bil ity. SLAs are im por tant when us ing any type of third-party ser vice provider, which would in clude cloud ser vices. The fol low ing is sues are com monly ad dressed in SLAs:

Sys tem up time (as a per cent age of over all op er at ing time)

Max i mum con sec u tive down time (in sec onds/min utes/and so on)

Peak load

Av er age load

Re spon si bil ity for di ag nos tics

Failover time (if re dun dancy is in place)

SLAs also com monly in clude fi nan cial and other con trac tual reme dies that kick in if the agree ment is not main tained. For ex am ple, if a crit i cal cir cuit is down for more than 15 min utes, the ser vice provider might agree to waive all charges on that cir cuit for one week.

SLAs and ven dor, con sul tant, and con trac tor con trols are an im por tant part of risk re duc tion and risk avoid ance. By clearly defin ing the ex pec ta tions and penal ties for ex ter nal par ties, ev ery one in volved knows

68

what is ex pected of them and what the con se quences are in the event of a fail ure to meet those ex pec ta tions. Al though it may be very cost ef fec tive to use out side providers for a va ri ety of busi ness func tions or ser vices, it does in crease po ten tial risk by ex pand ing the po ten tial at tack sur face and range of vul ner a bil i ties. SLAs should in clude a fo cus on pro tect ing and im prov ing se cu rity in ad di tion to en sur ing qual ity and timely ser vices at a rea son able price. Some SLAs are set and can not be ad justed, while with oth ers you may have sig nif i cant in flu ence over their con tent. You should en sure that an SLA sup ports the tenets of your se cu rity pol icy and in fra struc ture rather than be ing in con flict with it, which could in tro duce weak points, vul ner a bil i ties, or ex cep tions.

Com pli ance Pol icy Re quire ments Com pli ance is the act of con form ing to or ad her ing to rules, poli cies, reg u la tions, stan dards, or

re quire ments. Com pli ance is an im por tant con cern to se cu rity gov er nance. On a per son nel level, com pli ance is re lated to whether in di vid ual em ploy ees fol low com pany pol icy and per form their job tasks in ac cor dance to de fined pro ce dures. Many or ga ni za tions rely on em ployee com pli ance in or der to main tain high lev els of qual ity, con sis tency, ef fi ciency, and cost sav ings. If em ploy ees do not main tain com pli ance, it could cost the or ga ni za tion i

Collepals.com Plagiarism Free Papers

Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.

Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS

Why Hire Collepals.com writers to do your paper?

Quality- We are experienced and have access to ample research materials.

We write plagiarism Free Content

Confidential- We never share or sell your personal information to third parties.

Support-Chat with us today! We are always waiting to answer all your questions.