If you're considering taking the CCSP exam, my new book of practice questions just went live as an Amazon ebook today (it ships as a paperback on the 12th of this month): Official CCSP Practice Tests.
I'd be very interested to hear any feedback you might have, either here, via email, or as Amazon reviews.
Thanks, and good luck to those taking the test!
Ha! It'll be our secret. Happy new year.
@Ben_Malisow wrote:If you're considering taking the CCSP exam, my new book of practice questions just went live as an Amazon ebook today (it ships as a paperback on the 12th of this month): Official CCSP Practice Tests.
I'd be very interested to hear any feedback you might have, either here, via email, or as Amazon reviews.
Thanks, and good luck to those taking the test!
Hi Ben,
I have gone through Question 86 and I just want to confirm if this is the correct answer. I think it would not br appropriate to check the personal financial accounts of privilege users as that would be against data privacy. What do you think?
Very good question! I offer two answers...one flippant, and one more serious:
- Flip: any person who takes a position where they have control over other people, including limiting their access to resources and information, should be willing to have their own data inspected and reviewed, no matter how personal.
- Serious: it depends on the jurisdiction, and I should amend the question/answer in future editions of the book for that reason. In the US, revealing credit/financial history for a privileged position is commonplace...but it would be against the law in many other jurisdictions (for instance, the EU).
Really good feedback, and thanks for your insight!
At the very least a general credit check being carried out is commonplace as part of personnel screening, certainly in the UK and I believe across the rest of Europe too.
Obviously, you do need to consent to it and it needs to be appropriate to be covered under privacy laws. The thought process is people under financial strain could be more susceptible to bribery, and therefore a general credit check is considered appropriate for many roles.
In terms of a review of individual financial accounts, this would only be appropriate for roles requiring various levels of Security Clearance to access classified information etc, but again you do need to consent to the process.
@AlecTrevelyan wrote:At the very least a general credit check being carried out is commonplace as part of personnel screening, certainly in the UK and I believe across the rest of Europe too.
Obviously, you do need to consent to it and it needs to be appropriate to be covered under privacy laws. The thought process is people under financial strain could be more susceptible to bribery, and therefore a general credit check is considered appropriate for many roles.
In terms of a review of individual financial accounts, this would only be appropriate for roles requiring various levels of Security Clearance to access classified information etc, but again you do need to consent to the process.
I work for a US defense contractor and we use HireRight to do background checks for everyone we hire. As was stated the level and depth of the background check will vary based on your access. The insider threat cannot be understated and that threat is multifaceted. We all worry about advanced threats getting into our infrastructure but what about that IT admin who already has access? For our PKI team we decided a Secret clearance is the most effective way to meet audit and get a solid background check done. They have little access to classified but the process is very effective. Running a credit check is pretty much standard practice for any position with any level of trust involved.
I have also seen pat-down checks to see if they are carrying a USB drive or any data storage devices.
To your point that any "person who takes a position where they have control over other people, including limiting their access to resources and information, should be willing to have their own data inspected and reviewed, no matter how personal", if I am an system administrator, I wouldn't agree to that as I am not looking into the personal data of other people and will only be restricting or controlling the use of organizational data which they handle. So I do not have any obligation to allow them to review my personal data.
But as other's have mentioned here, if it is an organizational requirement, then you cannot do much about it. But you can always choose if you want to take that job or not.
I would say criminal background verification makes more sense than to judge if an employee will take bribe based on his financial status or data.
Actually, the best test would be to see if the person's ego is being sufficiently stroked; all the most substantial non-political insider damage* (the SF ransomeware admin, the Aussie sewage dude, Aldrich Ames, Richard Hansen, etc.) has come from people mostly (not completely, but mostly) motivated by "nobody appreciates me enough."
But we don't have a test for that. So money is the proxy we can use.
(I'd count Snowden and Manning as political, the lottery guy and Choicepoint as strictly money, and Pollard as money and political. Of course, there's always sex, but that's usually a front for political, like JJ Smith and Petraeus, and I don't count that as insider because of the external impetus, even if the insider is unaware of externality.)
Hi Ben,
Wanted to check if "C" can be the correct answer as the senior management can refer to the top threats and issues from the SIEM when deciding the risk parameters. I am not saying this can be the sole input to decide the risk parameter but can be one of the inputs for deciding risk parameter. Can you share your thoughts?
Warm regards,
Jacob
Uhhhh...I hate to admit this-- that's actually a much better answer. I have to fix this question in the revision. Thanks for pointing it out!