🏠 Back to Exam Syllabus πŸ“Ί RooCloud on YouTube 🌐 RooCloud Practice Exams

CISSP 2.1 - Personnel Security Policies & Procedures (Part 2 of 2)

This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series picks up the personnel lifecycle where Part 1 left off, following people through the rest of their time with the organization. Continuing Domain 1, Part 2 of 2 covers how insider risk grows quietly over the years β€” and how to audit it, expose it, and close out accounts and contracts without leaving open doors.

What this episode covers

Watch the full episode above for the worked examples and detailed explanations of each concept.

Frequently Asked Questions

Why do privileges drift over time?

Because work tasks change faster than access reviews do, so permissions creep upward like a keyring that keeps growing but never shrinks. Excess privilege is pure risk: it widens the blast radius of an honest mistake, hands a disgruntled worker more power to cause harm, and gives an attacker who hijacks the account more to exploit. Managers should regularly audit each person’s duties, privileges, and responsibilities and trim access back to what the role needs.

How do mandatory vacations expose hidden fraud?

By forcing a fresh pair of eyes onto someone’s work. Common in the financial industry, a mandatory vacation sends a worker away, without remote access, for a week or two while an auditor covers their duties, making it far easier to spot abuse, fraud, or negligence hiding in the daily routine. Passwords are never shared β€” the account is reset for the auditor, then reset again when the worker returns.

How do you offboard someone cleanly?

By reversing onboarding through the identity and access management system: a full offboarding disables or deletes the account, revokes certificates, and cancels access codes. It also applies when someone transfers between departments or locations, which some organizations treat as a termination and rehire. It is common to deactivate rather than delete right away, keeping the identity for a few months of auditing so security logs still point to a real account.

Why is termination timing so delicate?

Because a warned employee can do real damage before they walk out. A strong bond between security and human resources keeps a termination controlled: hold the meeting with a witness, remind the person of their obligations, and collect all badges, devices, keys, and tokens. The critical rule is to disable the account at the same time as, or just before, the person is told β€” deactivating access early, requesting a device back, or reassigning a desk can all leak the news.

Why put a service-level agreement in place?

Because it turns expectations into enforceable commitments, holding a provider to an agreed standard of service β€” essential for any third party, including cloud providers. It often includes financial remedies when the provider falls short, such as waiving a month’s fee if a critical link stays down past an agreed window. Outsourcing can transfer some risk but also expands your attack surface, so the agreement must support your security policy, and a vendor management system can centralize contracts, encrypt communications, and log vendor activity.

πŸ“š Master the ISC2 CISSP Exam!

Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.


Reference: This article is based on concepts discussed in CISSP 2.1 - Personnel Security Policies & Procedures (Part 2 of 2).