SCR4473 Information Security Personnel

8/6/2019 SCR4473 Information Security Personnel

1/59


2/59

Entry into the Security Profession

Many information security professionals enter the fieldthrough one of two career paths: ex-law enforcement and military personnel technical professionals working on security applications and

processes Today, students are selecting and tailoring degree

programs to prepare for work in security

Organizations can foster greater professionalism in theinformation security discipline through clearly definedexpectations and position descriptions


3/59


4/59

Figure 11-2


5/59

InfoSec Staffing Help Wanted

Definers provide the policies, guidelines,and standards

Builders are the real techies, whocreate and install security solutions

Operators run and administer the

security tools, perform securitymonitoring, and continuously improveprocesses


6/59

Chief Information Security Officer

The top information security position in the organization, notusually an executive and frequently reports to the Chief Information Officer

The CISO performs the following functions: Manages the overall InfoSec program Drafts or approves information security policies Works with the CIO on strategic plans, develops tactical plans, and

works with security managers on operational plans Develops InfoSec budgets based on funding Sets priorities for InfoSec projects & technology

Makes decisions in recruiting, hiring, and firing of security staff Acts as the spokesperson for the security team


7/59

Security Manager

Accountable for the day-to-day operation of the information securityprogram

Accomplishes objectives as identified by the CISO Qualifications and position requirements:

It is not uncommon to have a CISSP Traditionally, managers earned the CISSP while technical professionals earned

the Global Information Assurance Certification Must have the ability to draft middle- and lower-level policies as well as

standards and guidelines

They must have experience in budgeting, project management, and hiring andfiring

They must also be able to manage technicians, both in the assignment of tasksand the monitoring of activities


8/59

Security Technician

Technically qualified individuals tasked to configuresecurity hardware and software

Tend to be specialized, focusing on one major security

technology and further specializing in one software or hardware solution Qualifications and position requirements:

Organizations prefer the expert, certified, proficient technician Job descriptions cover some level of experience with a particular hardware

and software package Sometimes familiarity with a technology secures an applicant an interview;

however, experience in using the technology is usually required


9/59

Internal Security Consultant

Typically an expert in some aspect of information security

Usually preferable to involve a formal security services company,it is not unusual to find a qualified individual consultant

Must be highly proficient in the managerial aspects of security

Information security consultants usually enter the field after working as experts in the discipline and often have experienceas a security manager or CISO


10/59

Credentials of Information SecurityProfessionals

Many organizations seek recognizable certifications Most existing certifications are relatively new Certifications:

CISSP and SSCP Global Information Assurance Certification Security Certified Professional T.I.C.S.A. and T.I.C.S.E. Security+ Certified Information Systems Auditor Certified Information Systems Forensics Investigator


11/59

Advice for Information SecurityProfessionals

As a future information security professional, youcan benefit from suggestions on entering theinformation security job market: Always remember: business first, technology last Its all about the information Be heard and not seen Know more than you say, be more skillful than you let on Speak to users, not at them Your education is never complete


12/59

Staffing the Security Function

Selecting personnel is based on manycriteria, including supply and demand

Many professionals enter the securitymarket by gaining skills, experience, andcredentials

At the present time the informationsecurity industry is in a period of highdemand


13/59

Qualifications and Requirements

Organizations typically look for atechnically qualified information security

generalist In the information security discipline,over-specialization is often a risk and itis important to balance technical skillswith general information securityknowledge


14/59

Interaction of Security Components

Protective(Security)

Components

SecurityPersonnel

EmployeeSupport

Alarms &Hardware

SecurityPolicy &

Procedures

C o m p l i a

n c e C o n t r o l

sE n f o r c e m e n t

S a f e g u a r d s

U t i l i z a t i o n R e i n f

o r c e m

e n t

R e s p o

n s e


15/59

Personnel Security Procedure

The organization develops, disseminates, andperiodically reviews and updates:

1. A formal, documented, personnel security policy

2. Formal, documented procedures to facilitate theimplementation of the personnel security policyand associated personnel security controls.

3. Formal procedure to review and document list of approved personnel with access to informationsystems.


16/59

Personnel Security Procedure

PERSONNEL SECURITY POLICY addresses:

The purpose of the security programme as it relatesto protecting the organizations personnel and assets.

The scope of the security programme as it applies toall the organizational staff and third-party contractors.

The roles, responsibilities, and management

accountability structure of the security programme toensure compliance with the organizations securitypolicy and other regulatory commitments.


17/59

Personnel Security

Involves those measures taken tosafeguard a companysemployees and those coming to a

place of business either for business reasons or as a guests Probably the most recent

concerns classified under

personnel security are executiveprotection and back- groundinvestigations.


18/59

Personnel

Customers Visitors Employees Executives

Contractors & Consultants

Unauthorized persons


19/59

Customers and Visitors

Due diligence is the rule of thumb when itcomes to protecting people who come toyour premises.

History of security incidents where peoplehave been the target.

Efforts to provide adequate security canprevent or reduce liability.

Workplace violence prevention plan.


20/59


21/59

Personnel Life Cycle

Hire

Transfer

Terminate Place in JobPersonnelLife Cycle


22/59

Hiring Practices

Organizations must take special careduring the interview to determine eachcandidates level of personal andprofessional integrity.

The sensitive nature and value of theassets that employees will be handingrequire an in-depth screening process.


23/59

Hiring Practices (Cont.)

At a minimum, the screening process shouldinclude a series of comprehen- sive

interviews that emphasize integrity as well astechnical qualifications. References from former employers should

be examined and verified. This includes former teachers, friends, co-workers, & supervisors.


24/59


Former employers are usually in thebest position to rate the applicant

accurately, providing a candid assess-ment of strengths and weaknesses,personal ethics, past earnings, etc.

Unfortunately many employers havebecome increasing cautious aboutreleasing necessitating release forms.


25/59


Use of a reference authorization andhold-harmless agreement oftentimes

provides the necessary information. Be sure reference authorizations have:

signature of applicant, releases former &

prospective employers, and clearlyspecifies the type of information that maybe reveal.


26/59

Hiring Criteria

When hiring infosec professionals, organizationsfrequently look for individuals who understand: How an organization operates at all levels Information security is usually a management problem and is seldom an

exclusively technical problem People and have strong communications and writing skills The roles of policy and education and training The threats and attacks facing an organization How to protect the organization from attacks

How business solutions can be applied to solve specific informationsecurity problems Many of the most common mainstream IT technologies as generalists The terminology of IT and information security


27/59


What to Look For? A Straw personPerhaps?

Education

ExperienceTraining

Professional Certifications

Stable Work History

Clear Criminal RecordFiscal Responsibility

Background Continuity

Physical Fitness


28/59

Employment Policies and Practices

The general management community of interestshould integrate solid information securityconcepts into the organizations employmentpolicies and practices

If the organization can include security as adocumented part of every employees job

description, then perhaps information security willbe taken more seriously


29/59

Figure 11-4


30/59

Job Descriptions

Inserting information security perspectivesinto the hiring process begins with reviewing

and updating all job descriptions To prevent people from applying for positions

based solely on access to sensitive

information, the organization should avoidrevealing access privileges to prospectiveemployees when advertising positions


31/59

Interviews

An opening within Information Security opens up aunique opportunity for the security manager to educateHR on the certifications, experience, and qualifications of

a good candidate Information security should advise HR to limit information

provided to the candidate on the responsibilities andaccess rights the new hire would have

For those organizations that include on-site visits as partof interviews, it is important to use caution when showinga candidate around the facility


32/59

Background Checks

A background check is an investigation into a candidates past There are regulations that govern such investigations Background checks differ in the level of detail and depth with which the

candidate is examined:

Identity checks Education and credential checks Previous employment verification References checks Workers Compensation history Motor vehicle records Drug history Credit history Civil court history Criminal court history


33/59

Fair Credit Reporting Act

Federal regulations exist in the use of personalinformation in employment practices, including theFair Credit Reporting Act (FCRA)

Background reports contain information on a jobcandidates credit history, employment history, andother personal data

FCRA prohibits employers from obtaining these

reports unless the candidate is informed


34/59

Employment Contracts

Once a candidate has accepted the job offer, the employmentcontract becomes an important security instrument

Many security policies require an employee to agree in writing If an existing employee refuses to sign these contracts, the security

personnel are placed in a difficult situation New employees, however may find policies classified as

employment contingent upon agreement, whereby theemployee is not offered the position unless he/she agrees tothe binding organizational policies


35/59


36/59

On-the-Job Security Training

As part of the new hires ongoing job orientation, and as partof every employees security responsibilities, the organizationshould conduct periodic security awareness training

Keeping security at the forefront of employees minds andminimizing employee mistakes is an important part of theinformation security awareness mission

Formal external and informal internal seminars also increasethe level of security awareness for all employees, especiallysecurity employees


37/59

Performance Evaluation

To heighten information security awareness andchange workplace behavior, organizations shouldincorporate information security components into

employee performance evaluations Employees pay close attention to job performance

evaluations, and if the evaluations includeinformation security tasks, employees are moremotivated to perform these tasks at a satisfactorylevel


38/59

Personnel Transfer

The organization reviews logical and physicalaccess permissions to information systems and

facilities when individuals are reassigned or transferred to other positions within theorganization and initiates appropriate actions.

Complete execution of this control within certainperiod of time for employees or contractors who nolonger need to access security systems resources.


39/59

Personnel Transfer

Appropriate actions may include:

1. Returning old and issuing new keys, identification

cards, and building passes2. Closing old accounts and establishing new

accounts

3. Changing system access privileges4. Providing access to official records created or

controlled by the employee at the former worklocation and in the former accounts.


40/59

Personnel Terminate

When an employee leaves an organization, there are a number of security-related issues

The key is protection of all information to which the employee hadaccess

When an employee leaves, several tasks must be performed: Access to the organizations systems disabled Removable media returned Hard drives secured File cabinet locks changed Office door lock changed Keycard access revoked

Personal effects removed from the organizations premises Once cleared, they should be escorted from the premises In addition many organizations use an exit interview


41/59

Hostile Departure

Hostile departure (nonvoluntary)- termination, downsizing,lay off, or quitting: Before the employee is aware all logical and keycard access is

terminated As soon as the employee reports for work, he is escorted into

his supervisors office Upon receiving notice, he is escorted to his area, and allowed to

collect personal belongings

Employee asked to surrender all keys, keycards, and other company property

They are then escorted out of the building


42/59

Friendly Departure

Friendly departure (voluntary) for retirement, promotion,or relocation: employee may have tendered notice well in advance of the

actual departure date

actually makes it more difficult for security to maintain positivecontrol over the employees access and information usage

employee access is usually allowed to continue with a newexpiration date

employees come and go at will and collect their ownbelongings, and leave on their own

They are asked to drop off all organizational property on their way out the door


43/59

Termination

In all circumstance, the offices and information used by theemployee must be inventoried, their files stored or destroyed,and all property returned to organizational stores

It is possible that the employees foresee departure well inadvance, and begin collecting organizational information or anything that could be valuable in their future employment

Only by scrutinizing systems logs after the employee hasdeparted, and sorting out authorized actions from systemsmisuse or information theft can the organization determine if there has been a breach of policy or a loss of information

In the event that information is illegally copied or stolen, theaction should be declared an incident and the appropriatepolicy followed


44/59


45/59

Temporary Employees

Temporary employees are hired by the organization to serve ina temporary position or to supplement the existing workforce

As they are not employed by the host organization, they areoften not subject to the contractual obligations or generalpolicies and if these individuals breach a policy or cause aproblem actions are limited

From a security standpoint, access to information for theseindividuals should be limited to that necessary to perform their duties

Ensure that the temps supervisor restricts the information towhich they have access


46/59

Contract Employees

Contract employees are typically hired to perform specificservices for the organization

The host company often makes a contract with a parent

organization rather than with an individual for a particular task In a secure facility, all contract employees are escorted from

room to room, as well as into and out of the facility

There is also the need for certain restrictions or requirements to be negotiated into the contract agreementswhen they are activated


47/59

Consultants

Consultants should be handled like contract employees, withspecial requirements for information or facility accessrequirements integrated into the contract before theseindividual are allowed outside the conference room

Security and technology consultants especially must beprescreened, escorted, and subjected to nondisclosureagreements to protect the organization

Just because you pay a security consultant, doesnt make theprotection of your information his or her number one priority


48/59

Business Partners

Businesses find themselves in strategic alliances with other organizations, desiring to exchange information, integratesystems, or simply to discuss operations for mutualadvantage

There must be a meticulous, deliberate process of determining what information is to be exchanged, in whatformat, and to whom

Nondisclosure agreements and the level of security of bothsystems must be examined before any physical integrationtakes place, as system connection means that thevulnerability of one system is the vulnerability of all


49/59

Separation of Duties and Collusion

The completion of a significant task that involves sensitive informationshould require two people using the check and balance method to avoidcollusion

A similar concept is that of two-man control, when two individuals reviewand approve each others work before the task is categorized as finished

Another control used is job rotation where employees know each others job skills

A mandatory vacation, of at least one week, provides the ability to audit thework

Need-to-know and least privilege ensures that no unnecessary access to

data occurs, and that only those individuals who must access the data doso


50/59

Figure 11-6


51/59

Privacy and the Security of PersonnelData

Organizations are required by law to protectemployee information that is sensitive or personal

This includes employee addresses, phonenumbers, social security numbers, medicalconditions, and even names and addresses of family and relatives

This responsibility also extends to customers,patients, and business relationships


52/59

Hiring and Termination Issues

From an information security perspective,the hiring of employees is a responsibilityconcerned with potential security pitfalls

The CISO and information security manager should establish a dialogue with the HumanResources department to provide aninformation security viewpoint for hiringpersonnel


53/59

Hire

Transfer

Terminate Place in JobPersonnelLife Cycle

What about contractors/third- party/vendors?


54/59

Third-Party/Vendors

Third-party providers may include:

service bureaus

contractors

other organizations providing:

control system operation and maintenance

IT services, development, outsourced applications

network and security management


55/59


56/59


57/59

Contracting and Outsourcing

Required provisions

Protect assets from unauthorized access, disclosure,modification, destruction or interference

Execute particular security processes or activities

Ensure responsibility is assigned to the individual for actions taken

Report security events or potential events or other securityrisks to the organization.


58/59

Summary

PERSONNEL SECURITY and INFORMATION SECURITY management should cooperate toidentify:

Specific job positions/roles/contracts which may needadditional screening/training

Information Security common and special trainingrequirements

System access and termination procedures

Adequate disciplinary measures


59/59

Summary

Insider threat and other human issues arethe leading causes of information

security breaches:Take your personnel security issues

seriously!

Date post:	07-Apr-2018
Category:	Documents
Upload:	nama-palsu
View:	226 times
Download:	0 times

SCR4473 Information Security Personnel

Documents