Security and Personnel in Information security

7/29/2019 Security and Personnel in Information security

1/41

Security and Personnel

Chapter 11


2/41

Principles of Information Security - Chapter 11 Slide 2

Security Function Within an

Organizations Structure The security function can be placed within the:

IT function

Physical security function

Administrative services function

Insurance and risk management function

Legal department

The challenge is to design a structure thatbalances the competing needs of thecommunities of interest

Organizations compromise to balance needs ofenforcement with needs for education, training,awareness, and customer service


3/41


Staffing the Security Function

Selecting personnel is based on manycriteria, including supply and demand

Many professionals enter the security

market by gaining skills, experience, andcredentials

At the present time the information

security industry is in a period of high

demand


4/41


Qualifications and Requirements Issues in information security hiring:

Management should learn more about positionrequirements and qualifications

Upper management should also learn more about thebudgetary needs of the infosec function

Management needs to learn more about the level ofinfluence and prestige the information securityfunction should be given in order to be effective

Organizations typically look for a technically

qualified information security generalist In the information security discipline, over-

specialization is often a risk and it is importantto balance technical skills with general

information security knowledge


5/41


Hiring CriteriaWhen hiring infosec professionals,

organizations frequently look for individuals whounderstand: How an organization operates at all levels

Information security is usually a management problem and is

seldom an exclusively technical problem People and have strong communications and writing skills

The roles of policy and education and training

The threats and attacks facing an organization

How to protect the organization from attacks

How business solutions can be applied to solve specificinformation security problems

Many of the most common mainstream IT technologies asgeneralists

The terminology of IT and information security


6/41


Entry into the Security

ProfessionMany information security professionals enter

the field through one of two career paths: ex-law enforcement and military personnel

technical professionals working on security

applications and processes Today, students are selecting and tailoring

degree programs to prepare for work in security

Organizations can foster greater

professionalism in the information securitydiscipline through clearly defined expectationsand position descriptions


7/41Principles of Information Security - Chapter 11 Slide 7

Information Security Positions

The use of standard job descriptions canincrease the degree of professionalism in

the information security field as well as

improve the consistency of roles andresponsibilities between organizations

Organizations that are revising the roles

and responsibilities of InfoSec staff canconsult references



Figure 11-2



InfoSec Staffing Help Wanted

Definers provide the policies, guidelines,and standards

Builders are the real techies, who create

and install security solutionsOperators run and administer the security

tools, perform security monitoring, and

continuously improve processes



Chief Information Security

Officer The top information security position in the organization,

not usually an executive and frequently reports to theChief Information Officer

The CISO performs the following functions: Manages the overall InfoSec program

Drafts or approves information security policies

Works with the CIO on strategic plans, develops tacticalplans, and works with security managers on operationalplans

Develops InfoSec budgets based on funding

Sets priorities for InfoSec projects & technology Makes decisions in recruiting, hiring, and firing of security

staff

Acts as the spokesperson for the security team



Chief Information Security

Officer

Qualifications and position requirements

Often a CISSP

A graduate degree

Experience as a security manager



Security Manager Accountable for the day-to-day operation of the

information security program

Accomplishes objectives as identified by the CISO

Qualifications and position requirements:

It is not uncommon to have a CISSP

Traditionally, managers earned the CISSP while technical

professionals earned the Global Information Assurance

Certification

Must have the ability to draft middle- and lower-level policies as

well as standards and guidelines

They must have experience in budgeting, project management,

and hiring and firing

They must also be able to manage technicians, both in the

assignment of tasks and the monitoring of activities



Security Technician Technically qualified individuals tasked to

configure security hardware and software

Tend to be specialized, focusing on one majorsecurity technology and further specializing inone software or hardware solution

Qualifications and position requirements: Organizations prefer the expert, certified, proficient

technician

Job descriptions cover some level of experience witha particular hardware and software package

Sometimes familiarity with a technology secures anapplicant an interview; however, experience in usingthe technology is usually required



Internal Security Consultant Typically an expert in some aspect of

information security

Usually preferable to involve a formal security

services company, it is not unusual to find a

qualified individual consultantMust be highly proficient in the managerial

aspects of security

Information security consultants usually enterthe field after working as experts in the

discipline and often have experience as a

security manager or CISO



Credentials of Information

Security ProfessionalsMany organizations seek recognizable

certifications

Most existing certifications are relatively new

Certifications: CISSP and SSCP

Global Information Assurance Certification

Security Certified Professional

T.I.C.S.A. and T.I.C.S.E.

Security+

Certified Information Systems Auditor

Certified Information Systems Forensics Investigator


16/41



Figure 11-3



Advice for Information

Security ProfessionalsAs a future information security professional,

you can benefit from suggestions on entering

the information security job market:

Always remember: business first, technology last

Its all about the information

Be heard and not seen

Know more than you say, be more skillful than you let

on Speak to users, not at them

Your education is never complete



Employment Policies and

Practices

The general management community of

interest should integrate solid information

security concepts into the organizations

employment policies and practices If the organization can include security as

a documented part of every employees

job description, then perhaps informationsecurity will be taken more seriously



Hiring and Termination Issues

From an information security perspective,the hiring of employees is a responsibility

laden with potential security pitfalls

The CISO and information security

manager should establish a dialogue with

the Human Resources department to

provide an information security viewpoint

for hiring personnel


21/41


22/41


Job Descriptions

Inserting information security perspectivesinto the hiring process begins with

reviewing and updating all job descriptions

To prevent people from applying for

positions based solely on access to

sensitive information, the organization

should avoid revealing access privileges

to prospective employees whenadvertising positions


23/41


InterviewsAn opening within Information Security opens

up a unique opportunity for the securitymanager to educate HR on the certifications,experience, and qualifications of a goodcandidate

Information security should advise HR to limitinformation provided to the candidate on theresponsibilities and access rights the new hirewould have

For those organizations that include on-sitevisits as part of interviews, it is important to usecaution when showing a candidate around thefacility


24/41


Background Checks A background check is an investigation into a

candidates past

There are regulations that govern such investigations

Background checks differ in the level of detail and depth

with which the candidate is examined: Identity checks Education and credential checks

Previous employment verification

References checks

Workers Compensation history

Motor vehicle records Drug history

Credit history

Civil court history

Criminal court history


25/41


Fair Credit Reporting ActFederal regulations exist in the use of

personal information in employmentpractices, including the Fair CreditReporting Act (FCRA)

Background reports contain informationon a job candidates credit history,employment history, and other personaldata

FCRA prohibits employers from obtainingthese reports unless the candidate isinformed


26/41


Employment ContractsOnce a candidate has accepted the job offer,

the employment contract becomes an importantsecurity instrument

Many security policies require an employee toagree in writing If an existing employee refuses to sign these

contracts, the security personnel are placed in adifficult situation

New employees, however may find policies

classified as employment contingent uponagreement, whereby the employee is notoffered the position unless he/she agrees to thebinding organizational policies


27/41


New Hire OrientationAs new employees are introduced into the

organizations culture and workflow, they shouldreceive an extensive information securitybriefing on all major policies, procedures, andrequirements for information security

The levels of authorized access are outlined,and training provided on the secure use ofinformation systems

By the time employees are ready to report totheir positions, they should be thoroughlybriefed, and ready to perform their dutiessecurely


28/41


On-the-Job Security TrainingAs part of the new hires ongoing job orientation,

and as part of every employees security

responsibilities, the organization should conduct

periodic security awareness training

Keeping security at the forefront of employeesminds and minimizing employee mistakes is an

important part of the information security

awareness mission

Formal external and informal internal seminars

also increase the level of security awareness for

all employees, especially security employees


29/41


Performance EvaluationTo heighten information security

awareness and change workplacebehavior, organizations shouldincorporate information security

components into employee performanceevaluations

Employees pay close attention to jobperformance evaluations, and if theevaluations include information securitytasks, employees are more motivated toperform these tasks at a satisfactory level


30/41


Termination When an employee leaves an organization, there are a

number of security-related issues The key is protection of all information to which the

employee had access

When an employee leaves, several tasks must be

performed: Access to the organizations systems disabled Removable media returned Hard drives secured File cabinet locks changed Office door lock changed

Keycard access revoked Personal effects removed from the organizations premises

Once cleared, they should be escorted from thepremises

In addition many organizations use an exit interview


31/41


Hostile DepartureHostile departure (nonvoluntary)- termination,

downsizing, lay off, or quitting:

Before the employee is aware all logical and keycard

access is terminated

As soon as the employee reports for work, he isescorted into his supervisors office

Upon receiving notice, he is escorted to his area, and

allowed to collect personal belongings

Employee asked to surrender all keys, keycards, andother company property

They are then escorted out of the building


32/41


Friendly Departure Friendly departure (voluntary) for retirement,

promotion, or relocation: employee may have tendered notice well in advance

of the actual departure date

actually makes it more difficult for security to maintain

positive control over the employees access andinformation usage

employee access is usually allowed to continue witha new expiration date

employees come and go at will and collect their ownbelongings, and leave on their own

They are asked to drop off all organizational propertyon their way out the door


33/41


Termination In all circumstance, the offices and information used by

the employee must be inventoried, their files stored ordestroyed, and all property returned to organizationalstores

It is possible that the employees foresee departure wellin advance, and begin collecting organizational

information or anything that could be valuable in theirfuture employment

Only by scrutinizing systems logs after the employeehas departed, and sorting out authorized actions fromsystems misuse or information theft can the organizationdetermine if there has been a breach of policy or a lossof information

In the event that information is illegally copied or stolen,the action should be declared an incident and theappropriate policy followed

S it C id ti F


34/41


Security Considerations For

Nonemployees

A number of individuals who are not subject to

rigorous screening, contractual obligations, and

eventual secured termination often have access

to sensitive organizational informationRelationships with individuals in this category

should be carefully managed to prevent a

possible information leak or theft


35/41


Temporary Employees Temporary employees are hired by the

organization to serve in a temporary position orto supplement the existing workforce

As they are not employed by the hostorganization, they are often not subject to the

contractual obligations or general policies and ifthese individuals breach a policy or cause aproblem actions are limited

From a security standpoint, access toinformation for these individuals should belimited to that necessary to perform their duties

Ensure that the temps supervisor restricts theinformation to which they have access


36/41


Contract EmployeesContract employees are typically hired to

perform specific services for the organization

The host company often makes a contract with

a parent organization rather than with an

individual for a particular task In a secure facility, all contract employees are

escorted from room to room, as well as into and

out of the facility

There is also the need for certain restrictions or

requirements to be negotiated into the contract

agreements when they are activated


37/41


ConsultantsConsultants should be handled like contract

employees, with special requirements forinformation or facility access requirementsintegrated into the contract before theseindividual are allowed outside the conference

room Security and technology consultants especially

must be prescreened, escorted, and subjectedto nondisclosure agreements to protect the

organization Just because you pay a security consultant,

doesnt make the protection of your informationhis or her number one priority


38/41


Business Partners Businesses find themselves in strategic

alliances with other organizations, desiring toexchange information, integrate systems, orsimply to discuss operations for mutualadvantage

There must be a meticulous, deliberate processof determining what information is to beexchanged, in what format, and to whom

Nondisclosure agreements and the level ofsecurity of both systems must be examinedbefore any physical integration takes place, assystem connection means that the vulnerabilityof one system is the vulnerability of all


39/41


40/41


Figure 11-6

Privacy and the Security of


41/41

Privacy and the Security of

Personnel DataOrganizations are required by law to

protect employee information that issensitive or personal

This includes employee addresses, phonenumbers, social security numbers,medical conditions, and even names andaddresses of family and relatives

This responsibility also extends tocustomers, patients, and businessrelationships

Security and Personnel in Information security

Documents

Transcript of Security and Personnel in Information security