Which of the following control pairings include: organizational policies and procedures, pre-employment background checks, strict hiring practices, employment agreements, employee termination procedures, vacation scheduling, labeling of sensitive materials, increased supervision, security awareness training, behavior awareness, and sign-up procedures to obtain access to information systems and networks?
Click on the arrows to vote for the correct answer
A. B. C. D.The Answer: Preventive/Administrative Pairing: These mechanisms include organizational policies and procedures, pre-employment background checks, strict.
hiring practices, employment agreements, friendly and unfriendly employee termination procedures, vacation scheduling, labeling of sensitive materials, increased supervision, security awareness training, behavior awareness, and sign-up procedures to obtain access to information systems and networks.
Source: KRUTZ, Ronald L.
& VINES, Russel.
D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 34.
The control pairings listed in the question are all related to various administrative and preventive controls that an organization can implement to enhance its security posture.
Organizational policies and procedures: These are documents that define the rules and regulations for all employees and users within an organization. Policies and procedures can cover various topics, including information security, acceptable use, access controls, and incident response. By implementing and enforcing policies and procedures, an organization can reduce the risk of security incidents caused by human error or intentional wrongdoing.
Pre-employment background checks: This control is designed to vet potential employees before they are hired. Background checks can include criminal history, credit history, and education verification, among other things. By conducting thorough background checks, an organization can reduce the risk of hiring individuals who may pose a security risk.
Strict hiring practices: This control involves carefully screening job applicants to ensure that they meet the organization's standards for employment. For example, an organization might require that all applicants have a minimum level of education, relevant experience, or professional certifications. By maintaining strict hiring practices, an organization can reduce the risk of hiring employees who are not qualified or trustworthy.
Employment agreements: These are legal documents that outline the terms and conditions of employment for a specific employee. Employment agreements can include confidentiality agreements, non-compete clauses, and intellectual property clauses, among other things. By requiring employees to sign employment agreements, an organization can reduce the risk of employees disclosing sensitive information or competing with the organization after they leave.
Employee termination procedures: This control outlines the steps that an organization must take when terminating an employee, including revoking access to information systems and networks. By following established termination procedures, an organization can reduce the risk of security incidents caused by disgruntled employees.
Vacation scheduling: This control involves requiring employees to schedule and take regular vacations. By requiring employees to take time off, an organization can reduce the risk of insider threats caused by employees who feel overworked, overwhelmed, or unappreciated.
Labeling of sensitive materials: This control involves clearly marking sensitive information with appropriate labels or markings. By labeling sensitive information, an organization can reduce the risk of inadvertent disclosure or mishandling of information.
Increased supervision: This control involves increasing the level of supervision for employees who handle sensitive information or perform critical functions. By providing additional oversight, an organization can reduce the risk of security incidents caused by human error or intentional wrongdoing.
Security awareness training: This control involves providing training to all employees on how to identify and respond to security threats. By increasing employee awareness of security risks and best practices, an organization can reduce the risk of security incidents caused by human error.
Behavior awareness: This control involves training employees to recognize and report suspicious behavior, both within the organization and from external sources. By increasing employee awareness of potential security threats, an organization can reduce the risk of security incidents caused by social engineering or other forms of manipulation.
Sign-up procedures to obtain access to information systems and networks: This control involves requiring employees to follow established procedures for requesting and obtaining access to information systems and networks. By controlling access to sensitive information, an organization can reduce the risk of security incidents caused by unauthorized access or misuse.
Based on the above, it is clear that the correct answer is A. Preventive/Administrative Pairing, as all the controls listed fall under the categories of preventive or administrative controls. Preventive controls are designed to prevent security incidents from occurring, while administrative controls are policies and procedures that are designed to manage security risks.