Date post: | 14-Apr-2018 |
Category: |
Documents |
Upload: | eswin-angel |
View: | 224 times |
Download: | 0 times |
of 41
7/29/2019 Security and Personnel in Information security
1/41
Security and Personnel
Chapter 11
7/29/2019 Security and Personnel in Information security
2/41
Principles of Information Security - Chapter 11 Slide 2
Security Function Within an
Organizations Structure The security function can be placed within the:
IT function
Physical security function
Administrative services function
Insurance and risk management function
Legal department
The challenge is to design a structure thatbalances the competing needs of thecommunities of interest
Organizations compromise to balance needs ofenforcement with needs for education, training,awareness, and customer service
7/29/2019 Security and Personnel in Information security
3/41
Principles of Information Security - Chapter 11 Slide 3
Staffing the Security Function
Selecting personnel is based on manycriteria, including supply and demand
Many professionals enter the security
market by gaining skills, experience, andcredentials
At the present time the information
security industry is in a period of high
demand
7/29/2019 Security and Personnel in Information security
4/41
Principles of Information Security - Chapter 11 Slide 4
Qualifications and Requirements Issues in information security hiring:
Management should learn more about positionrequirements and qualifications
Upper management should also learn more about thebudgetary needs of the infosec function
Management needs to learn more about the level ofinfluence and prestige the information securityfunction should be given in order to be effective
Organizations typically look for a technically
qualified information security generalist In the information security discipline, over-
specialization is often a risk and it is importantto balance technical skills with general
information security knowledge
7/29/2019 Security and Personnel in Information security
5/41
Principles of Information Security - Chapter 11 Slide 5
Hiring CriteriaWhen hiring infosec professionals,
organizations frequently look for individuals whounderstand: How an organization operates at all levels
Information security is usually a management problem and is
seldom an exclusively technical problem People and have strong communications and writing skills
The roles of policy and education and training
The threats and attacks facing an organization
How to protect the organization from attacks
How business solutions can be applied to solve specificinformation security problems
Many of the most common mainstream IT technologies asgeneralists
The terminology of IT and information security
7/29/2019 Security and Personnel in Information security
6/41
Principles of Information Security - Chapter 11 Slide 6
Entry into the Security
ProfessionMany information security professionals enter
the field through one of two career paths: ex-law enforcement and military personnel
technical professionals working on security
applications and processes Today, students are selecting and tailoring
degree programs to prepare for work in security
Organizations can foster greater
professionalism in the information securitydiscipline through clearly defined expectationsand position descriptions
7/29/2019 Security and Personnel in Information security
7/41Principles of Information Security - Chapter 11 Slide 7
Information Security Positions
The use of standard job descriptions canincrease the degree of professionalism in
the information security field as well as
improve the consistency of roles andresponsibilities between organizations
Organizations that are revising the roles
and responsibilities of InfoSec staff canconsult references
7/29/2019 Security and Personnel in Information security
8/41Principles of Information Security - Chapter 11 Slide 8
Figure 11-2
7/29/2019 Security and Personnel in Information security
9/41Principles of Information Security - Chapter 11 Slide 9
InfoSec Staffing Help Wanted
Definers provide the policies, guidelines,and standards
Builders are the real techies, who create
and install security solutionsOperators run and administer the security
tools, perform security monitoring, and
continuously improve processes
7/29/2019 Security and Personnel in Information security
10/41Principles of Information Security - Chapter 11 Slide 10
Chief Information Security
Officer The top information security position in the organization,
not usually an executive and frequently reports to theChief Information Officer
The CISO performs the following functions: Manages the overall InfoSec program
Drafts or approves information security policies
Works with the CIO on strategic plans, develops tacticalplans, and works with security managers on operationalplans
Develops InfoSec budgets based on funding
Sets priorities for InfoSec projects & technology Makes decisions in recruiting, hiring, and firing of security
staff
Acts as the spokesperson for the security team
7/29/2019 Security and Personnel in Information security
11/41Principles of Information Security - Chapter 11 Slide 11
Chief Information Security
Officer
Qualifications and position requirements
Often a CISSP
A graduate degree
Experience as a security manager
7/29/2019 Security and Personnel in Information security
12/41Principles of Information Security - Chapter 11 Slide 12
Security Manager Accountable for the day-to-day operation of the
information security program
Accomplishes objectives as identified by the CISO
Qualifications and position requirements:
It is not uncommon to have a CISSP
Traditionally, managers earned the CISSP while technical
professionals earned the Global Information Assurance
Certification
Must have the ability to draft middle- and lower-level policies as
well as standards and guidelines
They must have experience in budgeting, project management,
and hiring and firing
They must also be able to manage technicians, both in the
assignment of tasks and the monitoring of activities
7/29/2019 Security and Personnel in Information security
13/41Principles of Information Security - Chapter 11 Slide 13
Security Technician Technically qualified individuals tasked to
configure security hardware and software
Tend to be specialized, focusing on one majorsecurity technology and further specializing inone software or hardware solution
Qualifications and position requirements: Organizations prefer the expert, certified, proficient
technician
Job descriptions cover some level of experience witha particular hardware and software package
Sometimes familiarity with a technology secures anapplicant an interview; however, experience in usingthe technology is usually required
7/29/2019 Security and Personnel in Information security
14/41Principles of Information Security - Chapter 11 Slide 14
Internal Security Consultant Typically an expert in some aspect of
information security
Usually preferable to involve a formal security
services company, it is not unusual to find a
qualified individual consultantMust be highly proficient in the managerial
aspects of security
Information security consultants usually enterthe field after working as experts in the
discipline and often have experience as a
security manager or CISO
7/29/2019 Security and Personnel in Information security
15/41Principles of Information Security - Chapter 11 Slide 15
Credentials of Information
Security ProfessionalsMany organizations seek recognizable
certifications
Most existing certifications are relatively new
Certifications: CISSP and SSCP
Global Information Assurance Certification
Security Certified Professional
T.I.C.S.A. and T.I.C.S.E.
Security+
Certified Information Systems Auditor
Certified Information Systems Forensics Investigator
7/29/2019 Security and Personnel in Information security
16/41
7/29/2019 Security and Personnel in Information security
17/41Principles of Information Security - Chapter 11 Slide 17
Figure 11-3
7/29/2019 Security and Personnel in Information security
18/41Principles of Information Security - Chapter 11 Slide 18
Advice for Information
Security ProfessionalsAs a future information security professional,
you can benefit from suggestions on entering
the information security job market:
Always remember: business first, technology last
Its all about the information
Be heard and not seen
Know more than you say, be more skillful than you let
on Speak to users, not at them
Your education is never complete
7/29/2019 Security and Personnel in Information security
19/41Principles of Information Security - Chapter 11 Slide 19
Employment Policies and
Practices
The general management community of
interest should integrate solid information
security concepts into the organizations
employment policies and practices If the organization can include security as
a documented part of every employees
job description, then perhaps informationsecurity will be taken more seriously
7/29/2019 Security and Personnel in Information security
20/41Principles of Information Security - Chapter 11 Slide 20
Hiring and Termination Issues
From an information security perspective,the hiring of employees is a responsibility
laden with potential security pitfalls
The CISO and information security
manager should establish a dialogue with
the Human Resources department to
provide an information security viewpoint
for hiring personnel
7/29/2019 Security and Personnel in Information security
21/41
7/29/2019 Security and Personnel in Information security
22/41
Principles of Information Security - Chapter 11 Slide 22
Job Descriptions
Inserting information security perspectivesinto the hiring process begins with
reviewing and updating all job descriptions
To prevent people from applying for
positions based solely on access to
sensitive information, the organization
should avoid revealing access privileges
to prospective employees whenadvertising positions
7/29/2019 Security and Personnel in Information security
23/41
Principles of Information Security - Chapter 11 Slide 23
InterviewsAn opening within Information Security opens
up a unique opportunity for the securitymanager to educate HR on the certifications,experience, and qualifications of a goodcandidate
Information security should advise HR to limitinformation provided to the candidate on theresponsibilities and access rights the new hirewould have
For those organizations that include on-sitevisits as part of interviews, it is important to usecaution when showing a candidate around thefacility
7/29/2019 Security and Personnel in Information security
24/41
Principles of Information Security - Chapter 11 Slide 24
Background Checks A background check is an investigation into a
candidates past
There are regulations that govern such investigations
Background checks differ in the level of detail and depth
with which the candidate is examined: Identity checks Education and credential checks
Previous employment verification
References checks
Workers Compensation history
Motor vehicle records Drug history
Credit history
Civil court history
Criminal court history
7/29/2019 Security and Personnel in Information security
25/41
Principles of Information Security - Chapter 11 Slide 25
Fair Credit Reporting ActFederal regulations exist in the use of
personal information in employmentpractices, including the Fair CreditReporting Act (FCRA)
Background reports contain informationon a job candidates credit history,employment history, and other personaldata
FCRA prohibits employers from obtainingthese reports unless the candidate isinformed
7/29/2019 Security and Personnel in Information security
26/41
Principles of Information Security - Chapter 11 Slide 26
Employment ContractsOnce a candidate has accepted the job offer,
the employment contract becomes an importantsecurity instrument
Many security policies require an employee toagree in writing If an existing employee refuses to sign these
contracts, the security personnel are placed in adifficult situation
New employees, however may find policies
classified as employment contingent uponagreement, whereby the employee is notoffered the position unless he/she agrees to thebinding organizational policies
7/29/2019 Security and Personnel in Information security
27/41
Principles of Information Security - Chapter 11 Slide 27
New Hire OrientationAs new employees are introduced into the
organizations culture and workflow, they shouldreceive an extensive information securitybriefing on all major policies, procedures, andrequirements for information security
The levels of authorized access are outlined,and training provided on the secure use ofinformation systems
By the time employees are ready to report totheir positions, they should be thoroughlybriefed, and ready to perform their dutiessecurely
7/29/2019 Security and Personnel in Information security
28/41
Principles of Information Security - Chapter 11 Slide 28
On-the-Job Security TrainingAs part of the new hires ongoing job orientation,
and as part of every employees security
responsibilities, the organization should conduct
periodic security awareness training
Keeping security at the forefront of employeesminds and minimizing employee mistakes is an
important part of the information security
awareness mission
Formal external and informal internal seminars
also increase the level of security awareness for
all employees, especially security employees
7/29/2019 Security and Personnel in Information security
29/41
Principles of Information Security - Chapter 11 Slide 29
Performance EvaluationTo heighten information security
awareness and change workplacebehavior, organizations shouldincorporate information security
components into employee performanceevaluations
Employees pay close attention to jobperformance evaluations, and if theevaluations include information securitytasks, employees are more motivated toperform these tasks at a satisfactory level
7/29/2019 Security and Personnel in Information security
30/41
Principles of Information Security - Chapter 11 Slide 30
Termination When an employee leaves an organization, there are a
number of security-related issues The key is protection of all information to which the
employee had access
When an employee leaves, several tasks must be
performed: Access to the organizations systems disabled Removable media returned Hard drives secured File cabinet locks changed Office door lock changed
Keycard access revoked Personal effects removed from the organizations premises
Once cleared, they should be escorted from thepremises
In addition many organizations use an exit interview
7/29/2019 Security and Personnel in Information security
31/41
Principles of Information Security - Chapter 11 Slide 31
Hostile DepartureHostile departure (nonvoluntary)- termination,
downsizing, lay off, or quitting:
Before the employee is aware all logical and keycard
access is terminated
As soon as the employee reports for work, he isescorted into his supervisors office
Upon receiving notice, he is escorted to his area, and
allowed to collect personal belongings
Employee asked to surrender all keys, keycards, andother company property
They are then escorted out of the building
7/29/2019 Security and Personnel in Information security
32/41
Principles of Information Security - Chapter 11 Slide 32
Friendly Departure Friendly departure (voluntary) for retirement,
promotion, or relocation: employee may have tendered notice well in advance
of the actual departure date
actually makes it more difficult for security to maintain
positive control over the employees access andinformation usage
employee access is usually allowed to continue witha new expiration date
employees come and go at will and collect their ownbelongings, and leave on their own
They are asked to drop off all organizational propertyon their way out the door
7/29/2019 Security and Personnel in Information security
33/41
Principles of Information Security - Chapter 11 Slide 33
Termination In all circumstance, the offices and information used by
the employee must be inventoried, their files stored ordestroyed, and all property returned to organizationalstores
It is possible that the employees foresee departure wellin advance, and begin collecting organizational
information or anything that could be valuable in theirfuture employment
Only by scrutinizing systems logs after the employeehas departed, and sorting out authorized actions fromsystems misuse or information theft can the organizationdetermine if there has been a breach of policy or a lossof information
In the event that information is illegally copied or stolen,the action should be declared an incident and theappropriate policy followed
S it C id ti F
7/29/2019 Security and Personnel in Information security
34/41
Principles of Information Security - Chapter 11 Slide 34
Security Considerations For
Nonemployees
A number of individuals who are not subject to
rigorous screening, contractual obligations, and
eventual secured termination often have access
to sensitive organizational informationRelationships with individuals in this category
should be carefully managed to prevent a
possible information leak or theft
7/29/2019 Security and Personnel in Information security
35/41
Principles of Information Security - Chapter 11 Slide 35
Temporary Employees Temporary employees are hired by the
organization to serve in a temporary position orto supplement the existing workforce
As they are not employed by the hostorganization, they are often not subject to the
contractual obligations or general policies and ifthese individuals breach a policy or cause aproblem actions are limited
From a security standpoint, access toinformation for these individuals should belimited to that necessary to perform their duties
Ensure that the temps supervisor restricts theinformation to which they have access
7/29/2019 Security and Personnel in Information security
36/41
Principles of Information Security - Chapter 11 Slide 36
Contract EmployeesContract employees are typically hired to
perform specific services for the organization
The host company often makes a contract with
a parent organization rather than with an
individual for a particular task In a secure facility, all contract employees are
escorted from room to room, as well as into and
out of the facility
There is also the need for certain restrictions or
requirements to be negotiated into the contract
agreements when they are activated
7/29/2019 Security and Personnel in Information security
37/41
Principles of Information Security - Chapter 11 Slide 37
ConsultantsConsultants should be handled like contract
employees, with special requirements forinformation or facility access requirementsintegrated into the contract before theseindividual are allowed outside the conference
room Security and technology consultants especially
must be prescreened, escorted, and subjectedto nondisclosure agreements to protect the
organization Just because you pay a security consultant,
doesnt make the protection of your informationhis or her number one priority
7/29/2019 Security and Personnel in Information security
38/41
Principles of Information Security - Chapter 11 Slide 38
Business Partners Businesses find themselves in strategic
alliances with other organizations, desiring toexchange information, integrate systems, orsimply to discuss operations for mutualadvantage
There must be a meticulous, deliberate processof determining what information is to beexchanged, in what format, and to whom
Nondisclosure agreements and the level ofsecurity of both systems must be examinedbefore any physical integration takes place, assystem connection means that the vulnerabilityof one system is the vulnerability of all
7/29/2019 Security and Personnel in Information security
39/41
7/29/2019 Security and Personnel in Information security
40/41
Principles of Information Security - Chapter 11 Slide 40
Figure 11-6
Privacy and the Security of
7/29/2019 Security and Personnel in Information security
41/41
Privacy and the Security of
Personnel DataOrganizations are required by law to
protect employee information that issensitive or personal
This includes employee addresses, phonenumbers, social security numbers,medical conditions, and even names andaddresses of family and relatives
This responsibility also extends tocustomers, patients, and businessrelationships