Presentation is loading. Please wait.

Presentation is loading. Please wait.

MANAGEMENT of INFORMATION SECURITY Second Edition.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "MANAGEMENT of INFORMATION SECURITY Second Edition."— Presentation transcript:

1 MANAGEMENT of INFORMATION SECURITY Second Edition

2 Learning Objectives Upon completion of this chapter, you should be able to: Identify the skills and requirements for information security positions Recognize the various information security professional certifications, and identify which skills are encompassed by each Understand and implement information security constraints on the general hiring processes Understand the role of information security in employee terminations Describe the security practices used to control employee behavior and prevent misuse of information Learning Objectives Upon completion of this chapter you should be able to: Identify the skills and requirements for information security positions Recognize the various information security professional certifications, and identify which skills are encompassed by each Understand and implement information security constraints on the general hiring processes Understand the role of information security in employee terminations Describe the security practices used to control employee behavior and prevent misuse of information Management of Information Security, 2nd ed. - Chapter 10

3 Introduction Maintaining a secure environment requires that the InfoSec department be carefully structured and staffed with appropriately credentialed personnel It also requires that the proper procedures be integrated into all human resources activities, including hiring, training, promotion, and termination practices Introduction Maintaining a secure environment requires that the InfoSec department be carefully structured and staffed with appropriately credentialed personnel. It also requires that the proper procedures be integrated into all human resources activities, including hiring, training, promotion, and termination practices. Management of Information Security, 2nd ed. - Chapter 10

4 Staffing the Security Function
Selecting an effective mix of information security personnel requires that you consider a number of criteria; some are within the control of the organization, and others are not In general, when the demand for personnel with critical information security technical or managerial skills rises quickly, the initial supply often fails to meet it As demand becomes known, professionals enter the job market or refocus their job skills to gain the required skills, experience, and credentials Staffing the Security Function Selecting an effective mix of information security personnel requires that you consider a number of criteria, some are within the control of the organization; others are not. In general, when the demand for personnel with critical information security technical or managerial skills rises quickly, the initial supply often fails to meet it. As demand becomes known, professionals enter the job market or refocus their job skills to gain the required skills, experience, and credentials. To move the InfoSec discipline forward: The general mgmt community of interest should learn more about the requirements and qualifications for both information security positions and relevant IT positions. Upper mgmt should learn more about information security budgetary and personnel needs. The IT and general mgmt communities of interest must grant the information security function (and CISO) an appropriate level of influence and prestige. Management of Information Security, 2nd ed. - Chapter 10

5 Staffing the Security Function (continued)
To move the InfoSec discipline forward: The general management community of interest should learn more about the requirements and qualifications for both information security positions and relevant IT positions Upper management should learn more about information security budgetary and personnel needs The IT and general management communities of interest must grant the information security function (and CISO) an appropriate level of influence and prestige Management of Information Security, 2nd ed. - Chapter 10

6 Qualifications and Requirements
When hiring information security professionals at all levels, organizations frequently look for individuals who have the following abilities: Understand how organizations are structured and operated Recognize that InfoSec is a management task that cannot be handled with technology alone Work well with people in general, including users, and communicate effectively using both strong written and verbal communication skills Acknowledge the role of policy in guiding security efforts Qualifications and Requirements When hiring information security professionals at all levels, organizations frequently look for individuals who have the following abilities: Understand how organizations are structured and operated Recognize that InfoSec is a management task that cannot be handled with technology alone Work well with people in general, including users, and communicate effectively using both strong written and verbal communication skills Acknowledge the role of policy in guiding security efforts Understand the essential role of information security education and training, which helps make users part of the solution, rather than part of the problem Perceive the threats facing an organization, understand how these threats can become transformed into attacks, and safeguard the organization from information security attacks Understand how technical controls can be applied to solve specific information security problems Demonstrate familiarity with the mainstream information technologies, including Disk Operating System (DOS), Windows NT/2000, Linux, and UNIX Understand IT and InfoSec terminology and concepts Management of Information Security, 2nd ed. - Chapter 10

7 Qualifications and Requirements (continued)
When hiring information security professionals at all levels, organizations frequently look for individuals who have the following abilities (continued): Understand the essential role of information security education and training, which helps make users part of the solution, rather than part of the problem Perceive the threats facing an organization, understand how these threats can become transformed into attacks, and safeguard the organization from information security attacks Understand how technical controls can be applied to solve specific information security problems Management of Information Security, 2nd ed. - Chapter 10

8 Qualifications and Requirements (continued)
When hiring information security professionals at all levels, organizations frequently look for individuals who have the following abilities (continued): Demonstrate familiarity with the mainstream information technologies, including Disk Operating System (DOS), Windows NT/2000, Linux, and UNIX Understand IT and InfoSec terminology and concepts Management of Information Security, 2nd ed. - Chapter 10

9 Entering the Information Security Profession
Many information security professionals enter the field after having prior careers in law enforcement or the military, or careers in other IT areas, such as networking, programming, database administration, or systems administration Organizations can foster greater professionalism in the information security discipline by clearly defining their expectations and establishing explicit position descriptions Entering the Information Security Profession Many information security professionals enter the field after having prior careers in law enforcement or the military, or careers in other IT areas, such as networking, programming, database administration, or systems administration. Organizations can foster greater professionalism in the information security discipline by clearly defining their expectations and establishing explicit position descriptions. Management of Information Security, 2nd ed. - Chapter 10

10 Figure 10-1 Information Security Career Paths
Management of Information Security, 2nd ed. - Chapter 10

11 Information Security Positions
Information security positions can be classified into one of three areas: those that define, those that build, and those that administer Definers provide the policies, guidelines, and standards The people who do the consulting and the risk assessment, and develop the product and technical architectures Senior people with a broad knowledge, but not a lot of depth Builders are the real techies, who create and install security solutions The people who operate and administer the security tools, the security monitoring function, and the people who continuously improve the processes This is where all the day-to-day, hard work is done Information Security Positions Information security positions can be classified into one of three areas: those that define, those that build, and those that administer. Definers provide the policies, guidelines and standards ... They’re the people who do the consulting and the risk assessment, who develop the product and technical architectures. These are senior people with a lot of broad knowledge, but often not a lot of depth. Then you have the builders. They’re the real techies, who create and install security solutions. ... Finally, you have the people who operate and [administer] the security tools, the security monitoring function, and the people who continuously improve the processes. This is where all the day-to-day, hard work is done… Management of Information Security, 2nd ed. - Chapter 10

12 Figure 10-2 Information Security Positions and Relationships
Management of Information Security, 2nd ed. - Chapter 10

13 Chief Information Security Officer (CISO)
The CISO is typically considered the top information security officer in the organization, although the CISO is usually not an executive-level position and frequently reports to the CIO Although these individuals are business managers first and technologists second, they must be conversant in all areas of information security, including technology, planning, and policy Chief information Security Officer (CISO) The CISO is typically considered the top information security officer in the organization, although the CISO is usually not an executive-level position and frequently reports to the CIO. Although these individuals are business managers first and technologists second, they must be conversant in all areas of information security, including technology, planning, and policy. Management of Information Security, 2nd ed. - Chapter 10

14 CISO: Qualifications and Position Requirements
The most common qualification for the CISO is the Certified Information Systems Security Professional (CISSP), which is described later in this chapter A graduate degree in criminal justice, business, technology, or another related field is usually required as well A candidate for this position should have experience in security management, as well as in planning, policy, and budgets CISO: Qualifications and Position Requirements The most common qualification for the CISO is the Certified Information Systems Security Professional (CISSP), which is described later in this chapter. A graduate degree in criminal justice, business, technology, or another related field is usually required as well. A candidate for this position should have experience as a security manager, as well as in planning, policy, and budgets. Management of Information Security, 2nd ed. - Chapter 10

15 Security Manager Qualifications and Position Requirements
It is not uncommon for a security manager to have a CISSP These individuals must have experience in traditional business activities, including budgeting, project management, personnel management, and hiring and firing They must be able to draft middle- and lower-level policies, as well as standards and guidelines Several types of information security managers exist, and the people who fill these roles tend to be much more specialized than CISOs Security Manager Qualifications and Position Requirements It is not uncommon for a security manager to have a CISSP. These individuals must have experience in traditional business activities, including budgeting, project management, personnel management, and hiring and firing, and they must be able to draft middle- and lower-level policies as well as standards and guidelines. Several types of information security managers exist, and the people who fill these roles tend to be much more specialized than CISOs. Management of Information Security, 2nd ed. - Chapter 10

16 Security Technician Security technicians are technically qualified individuals who configure firewalls and IDSs, implement security software, diagnose and troubleshoot problems, and coordinate with systems and network administrators to ensure that security technology is properly implemented The role of security technician is the typical information security entry-level position, albeit a technical one Security Technician Security technicians are technically qualified individuals who configure firewalls and IDSs, implement security software, diagnose and troubleshoot problems, and coordinate with systems and network administrators to ensure that security technology is properly implemented. The role of security technician is the typical information security entry-level position, albeit a technical one. Management of Information Security, 2nd ed. - Chapter 10

17 Technician Qualifications and Position Requirements
The technical qualifications and position requirements for a security technician vary Organizations typically prefer expert, certified, proficient technicians Job requirements usually include some level of experience with a particular hardware and software package Sometimes familiarity with a particular technology is enough to secure an applicant an interview; however, experience using the technology is usually required Technician Qualifications and Position Requirements The technical qualifications and position requirements for a security technician vary. Organizations typically prefer expert, certified, proficient technicians. Job requirements usually include some level of experience with a particular hardware and software package. Sometimes familiarity with a particular technology is enough to secure an applicant an interview; however, experience using the technology is usually required. Management of Information Security, 2nd ed. - Chapter 10

18 Information Security Professional Credentials
Many organizations rely to some extent on recognizable professional certifications to ascertain the level of proficiency possessed by any given candidate Many of the certification programs are relatively new, and consequently their precise value is not fully understood by most hiring organizations The certifying bodies work diligently to educate their constituent communities on the value and qualifications of their certificate recipients Employers struggle to match certifications to position requirements, while potential information security workers try to determine which certification programs will help them in the job market Information Security Professional Credentials Many organizations rely to some extent on recognizable professional certifications to ascertain the level of proficiency possessed by any given candidate. Many of the certification programs are relatively new, and consequently their precise value is not fully understood by most hiring organizations. The certifying bodies work diligently to educate their constituent communities on the value and qualifications of their certificate recipients. Employers struggle to match certifications to position requirements, while potential information security workers try to determine which certification programs will help them in the job market. Management of Information Security, 2nd ed. - Chapter 10

19 Certified Information Systems Security Professional (CISSP)
The CISSP is considered the most prestigious certification for security managers and CISOs The CISSP certification recognizes mastery of an internationally recognized common body of knowledge (CBK) in information security, covering ten domains of information security knowledge: Access control systems and methodology Applications and systems development Business continuity planning Cryptography Law, investigation, and ethics Certified Information Systems Security Professional (CISSP) The CISSP is considered the most prestigious certification for security managers and CISOs. The CISSP certification recognizes mastery of an internationally recognized common body of knowledge (CBK) in information security, covering ten domains of information security knowledge: Access control systems and methodology Applications and systems development Business continuity planning Cryptography Law, investigation, and ethics Operations security Physical security Security architecture and models Security management practices Telecommunications, network, and Internet security Management of Information Security, 2nd ed. - Chapter 10

20 Certified Information Systems Security Professional (CISSP) (continued)
The CISSP certification recognizes mastery of an internationally recognized common body of knowledge (CBK) in information security, covering ten domains of information security knowledge (continued): Operations security Physical security Security architecture and models Security management practices Telecommunications, network, and Internet security Management of Information Security, 2nd ed. - Chapter 10

21 Systems Security Certified Practitioner (SSCP)
The SSCP certification is more applicable to the security manager than the technician, as the bulk of its questions focus on the operational nature of information security. The SSCP focuses “on practices, roles, and responsibilities as defined by experts from major IS industries” and covers seven domains: Access controls Administration Audit and monitoring Risk, response, and recovery Cryptography Data communications Malicious code/malware Systems Security Certified Practitioner (SSCP) The SSCP certification is more applicable to the security manager than the technician, as the bulk of its questions focus on the operational nature of information security. The SSCP focuses “on practices, roles and responsibilities as defined by experts from major IS industries” and covers seven domains: Access controls Administration Audit and monitoring Risk, response, and recovery Cryptography Data communications Malicious code/malware Management of Information Security, 2nd ed. - Chapter 10

22 Global Information Assurance Certification (GIAC)
The System Administration, Networking and Security Organization (SANS) has developed a series of technical security certifications known as the GIAC The GIAC family of certifications can be pursued independently or combined to earn a comprehensive certification called GIAC Security Engineer (GSE), at a silver, gold or platinum level Global Information Assurance Certification (GIAC) The System Administration, Networking and Security Organization (SANS) has developed a series of technical security certifications known as the GIAC. The GIAC family of certifications can be pursued independently or combined to earn a comprehensive certification called GIAC Security Engineer (GSE). The individual GIAC certifications are as follows: GIAC Security Essentials Certification (GSEC) GIAC Certified Firewall Analyst (GCFW) GIAC Certified Intrusion Analyst (GCIA) GIAC Certified Incident Handler (GCIH) GIAC Certified Windows Security Administrator (GCWN) GIAC Certified UNIX Security Administrator (GCUX) GIAC Information Security Officer—Basic (GISO–Basic) GIAC Systems and Network Auditor (GSNA) GIAC Certified Forensic Analyst (GCFA) GIAC Security Leadership Certificate (GSLC) Management of Information Security, 2nd ed. - Chapter 10

23 Security Certified Program (SCP)
The SCP offers three tracks: the Security Certified Network Specialist (SCNS), the Security Certified Network Professional (SCNP), and the Security Certified Network Architect (SCNA) All are designed for the security technician and emphasize technical knowledge; the latter also includes authentication principles The SCNS is the introductory certification and covers Tactical Perimeter Defense (TPD) The SCNP track is the second level of certification and covers Strategic Infrastructure Security (SIS) The SCNA program is the advanced certification and covers Enterprise Security Implementation (ESI) and The Solution Exam (TSE) Security Certified Program (SCP) The SCP offers two tracks: the Security Certified Network Professional (SCNP) and the Security Certified Network Architect (SCNA). Both are designed for the security technician and emphasize technical knowledge; the latter also includes authentication principles. The SCNP track targets firewalls and intrusion detection, and requires two exams: Network Security Fundamentals (NSF) Network Defense and Countermeasures (NDC) The SCNA program includes authentication areas, including biometrics and PKI. It requires two certification exams: PKI and Biometrics Concepts and Planning (PBC) PKI and Biometrics Implementation (PBI) Management of Information Security, 2nd ed. - Chapter 10

24 Security+ The CompTIA Security+ certification tests for security knowledge mastery of an individual with two years of on-the-job networking experience, with emphasis on security The exam covers industry-wide topics including communication security, infrastructure security, cryptography, access control, authentication, external attack, and operational and organization security Security+ The CompTIA Security+ certification tests for security knowledge mastery of an individual with two years on-the-job networking experience, with emphasis on security. The exam covers industry-wide topics including communication security, infrastructure security, cryptography, access control, authentication, external attack, and operational and organization security. The exam covers five domains. 1.0 General Security Concepts 2.0 Communication Security 3.0 Infrastructure Security 4.0 Basics of Cryptography 5.0 Operational/Organizational Security Management of Information Security, 2nd ed. - Chapter 10

25 Security+ (continued)
The exam covers five domains: 1.0 General security concepts 2.0 Communication security 3.0 Infrastructure security 4.0 Basics of cryptography 5.0 Operational/Organizational security Management of Information Security, 2nd ed. - Chapter 10

26 Certified Information Systems Auditor (CISA)
The Information Systems Audit and Control Association and Foundation (ISACA) touts the CISA as being appropriate for auditing, networking, and security professionals The exam covers the following areas of information systems auditing: The IS audit process Management, planning, and organization of IS Technical infrastructure and operational practices Protection of information assets Disaster recovery and business continuity Business application system development, acquisition, implementation, and maintenance Business process evaluation and risk management Certified Information Systems Auditor (CISA) The Information Systems Audit and Control Association and Foundation (ISACA) touts the CISA as being appropriate for auditing, networking, and security professionals. The exam covers the following areas of information systems auditing: The IS audit process Management, planning, and organization of IS Technical infrastructure and operational practices Protection of information assets Disaster recovery and business continuity Business application system development, acquisition, implementation, and maintenance Business process evaluation and risk management Management of Information Security, 2nd ed. - Chapter 10

27 Certified Information Security Manager (CISM)
The CISM credential is geared toward experienced information security managers and others who may have information security management responsibilities The CISM can assure executive management that a candidate has the required background knowledge needed for effective security management and consulting Certified Information Security Manager (CISM) The CISM credential is geared toward experienced information security managers and others who may have information security management responsibilities. The CISM can assure executive management that a candidate has the required background knowledge needed for effective security management and consulting. The exam covers: Information Security Governance Risk Management Information Security Program Management Information Security Management Response Management Management of Information Security, 2nd ed. - Chapter 10

28 Certified Information Security Manager (CISM) (continued)
The exam covers: Information security governance Risk management Information security program management Information security management Response management Management of Information Security, 2nd ed. - Chapter 10

29 Certified Information Forensics Investigator (CIFI)
The International Information Security Forensics Association is developing the Certified Information Systems Forensics Investigator certification This program will evaluate expertise in the tasks and responsibilities of a security administrator or security manager, including incident response, working with law enforcement, and auditing Certified Information Forensics Investigator (CIFI) The Information Security Forensics Association is developing the Certified Information Systems Forensics Investigator certification. This program will evaluate expertise in the tasks and responsibilities of a security administrator or security manager, including incident response, working with law enforcement, and auditing. The body of knowledge includes: Countermeasures Auditing Incident response teams Law enforcement and investigation Traceback Tools and techniques Management of Information Security, 2nd ed. - Chapter 10

30 Certified Information Forensics Investigator (CIFI) (continued)
The body of knowledge includes: Countermeasures Auditing Incident response teams Law enforcement and investigation Traceback Tools and techniques Management of Information Security, 2nd ed. - Chapter 10

31 Certification Costs Certifications cost money, and the preferred certifications can be expensive Given the nature of the knowledge needed to pass the examinations, most experienced professionals find it difficult to do well without at least some review Certifications are designed to recognize experts in their respective fields, and the cost of certification deters those who might otherwise take the exam just to see if they can pass Most examinations require between two and three years of work experience, and they are often structured to reward candidates who have significant hands-on experience Certification Costs Certifications cost money, and the preferred certifications can be expensive. Given the nature of the knowledge needed to pass the examinations, most experienced professionals find it difficult to do well on them without at least some review. Certifications are designed to recognize experts in their respective fields, and the cost of certification deters those who might otherwise take the exam just to see if they can pass. Most examinations require between two and three years of work experience, and they are often structured to reward candidates who have significant hands-on experience. Management of Information Security, 2nd ed. - Chapter 10

32 Figure 10-3 Preparing for Security Certification
Management of Information Security, 2nd ed. - Chapter 10

33 Employment Policies and Practices
The general management community of interest should integrate solid information security concepts across all of the organization’s employment policies and practices Including information security responsibilities into every employee’s job description and subsequent performance reviews can make an entire organization take information security more seriously Employment Policies and Practices The general management community of interest should integrate solid information security concepts across all of the organization’s employment policies and practices. Including information security responsibilities into every employee’s job description and subsequent performance reviews can make an entire organization take information security more seriously. Management of Information Security, 2nd ed. - Chapter 10

34 Hiring From an information security perspective, the hiring of employees is laden with potential security pitfalls The CISO, in cooperation with the CIO and relevant information security managers, should establish a dialogue with human resources personnel so that information security considerations become part of the hiring process Hiring From an information security perspective, the hiring of employees is laden with potential security pitfalls. The CISO, in cooperation with the CIO and relevant information security managers, should establish a dialogue with human resources personnel so that information security considerations become part of the hiring process. Management of Information Security, 2nd ed. - Chapter 10

35 Hiring Issues Job Descriptions Interviews
Organizations that provide complete job descriptions when advertising open positions should omit the elements of the job description that describe access privileges Interviews In general, information security should advise human resources to limit the information provided to the candidates on the access rights of the position When an interview includes a site visit, the tour should avoid secure and restricted sites, because the visitor could observe enough information about the operations or information security functions to represent a potential threat to the organization Hiring Issues Job Descriptions - Organizations that provide complete job descriptions when advertising open positions should omit the elements of the job description that describe access privileges. Interviews - In general, information security should advise human resources to limit the information provided to the candidates on the access rights of the position. When an interview includes a site visit, the tour should avoid secure and restricted sites, because the visitor could observe enough information about the operations or information security functions to represent a potential threat to the organization. New Hire Orientation - New employees should receive, as part of their orientation, an extensive information security briefing. On-the-Job Security Training - Organizations should conduct the periodic security awareness and training activities to keep security at the forefront of employees’ minds and minimize employee mistakes. Security Checks - A background check should be conducted before the organization extends an offer to any candidate, regardless of job level. Management of Information Security, 2nd ed. - Chapter 10

36 Hiring Issues (continued)
New Hire Orientation New employees should receive, as part of their orientation, an extensive information security briefing On-the-Job Security Training Organizations should conduct periodic security awareness and training activities to keep security at the forefront of employees’ minds and minimize employee mistakes Security Checks A background check should be conducted before the organization extends an offer to any candidate, regardless of job level Management of Information Security, 2nd ed. - Chapter 10

37 Common Background Checks
Identity checks: personal identity validation Education and credential checks: institutions attended, degrees and certifications earned, and certification status Previous employment verification: where candidates worked, why they left, what they did, and for how long Reference checks: validity of references and integrity of reference sources Common Background Checks Identity checks: personal identity validation Education and credential checks: institutions attended, degrees and certifications earned, and certification status Previous employment verification: where candidates worked, why they left, what they did, and for how long Reference checks: validity of references and integrity of reference sources Worker’s compensation history: claims from worker’s compensation Motor vehicle records: driving records, suspensions, and other items noted in the applicant’s public record Drug history: drug screening and drug usage, past and present Medical history: current and previous medical conditions, usually associated with physical capability to perform the work in the specified position Credit history: credit problems, financial problems, and bankruptcy Civil court history: involvement as the plaintiff or defendant in civil suits Criminal court history: criminal background, arrests, convictions, and time served. Management of Information Security, 2nd ed. - Chapter 10

38 Common Background Checks (continued)
Worker’s compensation history: claims from worker’s compensation Motor vehicle records: driving records, suspensions, and other items noted in the applicant’s public record Drug history: drug screening and drug usage, past and present Medical history: current and previous medical conditions, usually associated with physical capability to perform the work in the specified position Management of Information Security, 2nd ed. - Chapter 10

39 Common Background Checks (continued)
Credit history: credit problems, financial problems, and bankruptcy Civil court history: involvement as the plaintiff or defendant in civil suits Criminal court history: criminal background, arrests, convictions, and time served Management of Information Security, 2nd ed. - Chapter 10

40 Contracts and Employment
Once a candidate has accepted a job offer, the employment contract becomes an important security instrument It is important to have these contracts and agreements in place at the time of the hire Contracts and Employment Once a candidate has accepted a job offer, the employment contract becomes an important security instrument. It is important to have these contracts and agreement in place at the time of the hire. Management of Information Security, 2nd ed. - Chapter 10

41 Security as Part of Performance Evaluation
To heighten information security awareness and change workplace behavior, organizations should incorporate information security components into employee performance evaluations Employees pay close attention to job performance evaluations, and including information security tasks in them will motivate employees to take more care when performing these tasks Security as Part of Performance Evaluation To heighten information security awareness and change workplace behavior, organizations should incorporate information security components into employee performance evaluations. Employees pay close attention to job performance evaluations, and including information security tasks in them will motivate employees to take more care when performing these tasks. Management of Information Security, 2nd ed. - Chapter 10

42 Termination Issues When an employee leaves an organization, the following tasks must be performed: The former employee’s access to the organization’s systems must be disabled The former employee must return all removable media The former employee’s hard drives must be secured File cabinet locks must be changed Office door locks must be changed The former employee’s keycard access must be revoked The former employee’s personal effects must be removed from the premises The former employee should be escorted from the premises, once keys, keycards, and other business property have been turned over Termination Issues When an employee leaves an organization, the following tasks must be performed: The former employee’s access to the organization’s systems must be disabled. The former employee must return all removable media. The former employee’s hard drives must be secured. File cabinet locks must be changed. Office door locks must be changed. The former employee’s keycard access must be revoked. The former employee’s personal effects must be removed from the premises. The former employee should be escorted from the premises, once keys, keycards, and other business property have been turned over. In addition to performing these tasks, many organizations conduct an exit interview to remind the employee of any contractual obligations, such as nondisclosure agreements, and to obtain feedback on the employee’s tenure in the organization. Two methods for handling handle employee outprocessing, depending on the employee’s reasons for leaving, are as follows: Management of Information Security, 2nd ed. - Chapter 10

43 Termination Issues (continued)
In addition to performing these tasks, many organizations conduct an exit interview to remind the employee of any contractual obligations, such as nondisclosure agreements, and to obtain feedback on the employee’s tenure in the organization Two methods for handling employee outprocessing, depending on the employee’s reasons for leaving, are hostile and friendly departures Management of Information Security, 2nd ed. - Chapter 10

44 Hostile Departure Security cuts off all logical and keycard access, before the employee is terminated The employee reports for work, and is escorted into the supervisor’s office to receive the bad news The individual is then escorted from the workplace and informed that his or her personal property will be forwarded, or is escorted to his or her office, cubicle, or personal area to collect personal effects under supervision Once personal property has been gathered, the employee is asked to surrender all keys, keycards, and other organizational identification and access devices, PDAs, pagers, cell phones, and all remaining company property, and is then escorted from the building Hostile Departure Security cuts off all logical and keycard access, before the employee is terminated. The employee reports for work, and is escorted into the supervisor’s office to receive the bad news. The individual is then escorted from the workplace and informed that his or her personal property will be forwarded, or is escorted to his or her office, cubicle, or personal area to collect personal effects under supervision. Once personal property has been gathered, the employee is asked to surrender all keys, keycards, and other organizational identification and access devices, PDAs, pagers, cell phones, and all remaining company property, and is then escorted from the building. Management of Information Security, 2nd ed. - Chapter 10

45 Friendly Departure The employee may have tendered notice well in advance of the actual departure date, which can make it much more difficult for security to maintain positive control over the employee’s access and information usage Employee accounts are usually allowed to continue, with a new expiration date The employee can come and go at will and usually collects any belongings and leaves without escort The employee is asked to drop off all organizational property before departing. Friendly Departure The employee may have tendered notice well in advance of the actual departure date, which can make it much more difficult for security to maintain positive control over the employee’s access and information usage. Employee accounts are usually allowed to continue, with a new expiration date. The employee can come and go at will and usually collects any belongings and leaves without escort. The employee is asked to drop off all organizational property before departing. Management of Information Security, 2nd ed. - Chapter 10

46 Termination Issues In either circumstance, the offices and information used by departing employees must be inventoried, their files stored or destroyed, and all property returned to organizational stores It is possible that departing employees have collected and taken home information or assets that could be valuable in their future jobs Only by scrutinizing system logs during the transition period and after the employee has departed, and sorting out authorized actions from system misuse or information theft, can the organization determine whether a breach of policy or a loss of information has occurred Termination Issues In either circumstance, the offices and information used by departing employees must be inventoried, their files stored or destroyed, and all property returned to organizational stores. It is possible that departing employees have collected and taken home information or assets that could be valuable in their future jobs. Only by scrutinizing system logs during the transition period and after the employee has departed, and sorting out authorized actions from system misuse or information theft, can the organization determine whether a breach of policy or a loss of information has occurred. Management of Information Security, 2nd ed. - Chapter 10

47 Personnel Security Practices
There are various ways of monitoring and controlling employees to minimize their opportunities to misuse information Separation of duties is used to make it difficult for an individual to violate information security and breach the confidentiality, integrity, or availability of information Two-man control requires that two individuals review and approve each other’s work before the task is considered complete Personnel Security Practices There are various ways of monitoring and controlling employees to minimize their opportunities to misuse information. Separation of duties is used to make it difficult for an individual to violate information security and breach the confidentiality, integrity, or availability of information. Two-man control requires that two individuals review and approve each other’s work before the task is considered complete. Management of Information Security, 2nd ed. - Chapter 10

48 Figure 10-6 Personnel Security Controls
Management of Information Security, 2nd ed. - Chapter 10

49 Personnel Security Practices
Job rotation is another control used to prevent personnel from misusing information assets Job rotation requires that every employee be able to perform the work of at least one other employee If that approach is not feasible, an alternative is task rotation, in which all critical tasks can be performed by multiple individuals Personnel Security Practices Another control used to prevent personnel from misusing information assets is job rotation. Job rotation requires that every employee be able to perform the work of at least one other employee. If that approach is not feasible, an alternative is task rotation, in which all critical tasks can be performed by multiple individuals. Both job rotation and task rotation ensure that no one employee is performing actions that cannot be knowledgeably reviewed by another employee. For similar reasons, each employee should be required to take a mandatory vacation, of at least one week per year. This policy gives the organization a chance to perform a detailed review of everyone’s work. Finally, another important way to minimize opportunities for employee misuse information is to limit access to information. That is, employees should be able to access only the information they need, and only for the period required to perform their tasks. This idea is referred to as the principle of least privilege. Similar to the need-to-know concept, least privilege ensures that no unnecessary access to data occurs. If all employees can access all the organization’s data all the time, it is almost certain that abuses—possibly leading to losses in confidentiality, integrity, and availability—will occur. Management of Information Security, 2nd ed. - Chapter 10

50 Personnel Security Practices (continued)
Both job rotation and task rotation ensure that no one employee is performing actions that cannot be knowledgeably reviewed by another employee For similar reasons, each employee should be required to take a mandatory vacation, of at least one week per year This policy gives the organization a chance to perform a detailed review of everyone’s work Management of Information Security, 2nd ed. - Chapter 10

51 Personnel Security Practices (continued)
Finally, another important way to minimize opportunities for employee misuse information is to limit access to information That is, employees should be able to access only the information they need, and only for the period required to perform their tasks This idea is referred to as the principle of least privilege Management of Information Security, 2nd ed. - Chapter 10

52 Personnel Security Practices (continued)
Similar to the need-to-know concept, least privilege ensures that no unnecessary access to data occurs If all employees can access all the organization’s data all the time, it is almost certain that abuses—possibly leading to losses in confidentiality, integrity, and availability—will occur Management of Information Security, 2nd ed. - Chapter 10

53 Security of Personnel and Personal Data
Organizations are required by law to protect sensitive or personal employee information, including personally identifying facts such as employee addresses, phone numbers, Social Security numbers, medical conditions, and even names and addresses of family members This responsibility also extends to customers, patients, and anyone with whom the organization has business relationships Security of Personnel and Personal Data Organizations are required by law to protect sensitive or personal employee information, including personally identifying facts such as employee addresses, phone numbers, Social Security numbers, medical conditions, and even names and addresses of family members. This responsibility also extends to customers, patients, and anyone with whom the organization has business relationships. While personnel data is, in principle, no different than other data that information security is expected to protect, certainly more regulations cover its protection. As a result, information security procedures should ensure that this data receives at least the same level of protection as the other important data in the organization. Management of Information Security, 2nd ed. - Chapter 10

54 Security of Personnel and Personal Data (continued)
While personnel data is, in principle, no different than other data that information security is expected to protect, certainly more regulations cover its protection As a result, information security procedures should ensure that this data receives at least the same level of protection as the other important data in the organization Management of Information Security, 2nd ed. - Chapter 10

55 Security Considerations for Non-employees
Many individuals who are not employees often have access to sensitive organizational information Relationships with individuals in this category should be carefully managed to prevent threats to information assets from materializing Security Considerations for Non-employees Many individuals who are not employees often have access to sensitive organizational information. Relationships with individuals in this category should be carefully managed to prevent threats to information assets from materializing. Management of Information Security, 2nd ed. - Chapter 10

56 Temporary Workers Because temporary workers are not employed by the organization for which they’re working, they may not be subject to the contractual obligations or general policies that govern other employees Unless specified in its contract with the organization, the temp agency may not be liable for losses caused by its workers From a security standpoint, access to information for these individuals should be limited to what is necessary to perform their duties Temporary Workers Because Temporary workers are not employed by the organization for which they’re working, however, they may not be subject to the contractual obligations or general policies that govern other employees. Unless specified in its contract with the organization, the temp agency may not be liable for losses caused by its workers. From a security standpoint, access to information for these individuals should be limited to what is necessary to perform their duties. Management of Information Security, 2nd ed. - Chapter 10

57 Contract Employees While professional contractors may require access to virtually all areas of the organization to do their jobs, service contractors usually need access only to specific facilities, and they should not be allowed to wander freely in and out of buildings In a secure facility, all service contractors are escorted from room to room, and into and out of the facility Contract Employees While professional contractors may require access to virtually all areas of the organization to do their jobs, service contractors usually need access only to specific facilities, and they should not be allowed to wander freely in and out of buildings. In a secure facility, all service contractors are escorted from room to room, and into and out of the facility. Any service agreements or contracts should contain the following regulations: the facility requires 24 to 48 hours’ notice of a maintenance visit; the facility requires all on-site personnel to undergo background checks; and the facility requires advance notice for cancellation or rescheduling of a maintenance visit. Management of Information Security, 2nd ed. - Chapter 10

58 Contract Employees (continued)
Any service agreements or contracts should contain the following regulations: The facility requires 24 to 48 hours’ notice of a maintenance visit The facility requires all on-site personnel to undergo background checks The facility requires advance notice for cancellation or rescheduling of a maintenance visit Management of Information Security, 2nd ed. - Chapter 10

59 Consultants Consultants have their own security requirements and contractual obligations. They should be handled like contract employees, with special requirements, such as information or facility access requirements, being integrated into the contract before they are given free access to the facility. Consultants Consultants have their own security requirements and contractual obligations. They should be handled like contract employees, with special requirements, such as information or facility access requirements, being integrated into the contract before they are given free access to the facility. In particular, security and technology consultants must be prescreened, escorted, and subjected to nondisclosure agreements to protect the organization from intentional or accidental breaches of confidentiality. Just because you pay security consultants, it doesn’t mean that protecting your information is their number one priority. Always remember to apply the principle of least privilege when working with consultants. Management of Information Security, 2nd ed. - Chapter 10

60 Just because you pay security consultants, it doesn’t mean that protecting your information is their number one priority. Always remember to apply the principle of least privilege when working with consultants. Management of Information Security, 2nd ed. - Chapter 10

61 Business Partners Businesses sometimes engage in strategic alliances with other organizations to exchange information, integrate systems, or enjoy some other mutual advantage A prior business agreement must specify the levels of exposure that both organizations are willing to tolerate In particular, security and technology consultants must be prescreened, escorted, and subjected to nondisclosure agreements to protect the organization from intentional or accidental breaches of confidentiality Business Partners Businesses sometimes engage in strategic alliances with other organizations, so as to exchange information, integrate systems, or enjoy some other mutual advantage. A prior business agreement must specify the levels of exposure that both organizations are willing to tolerate. If the strategic partnership evolves into an integration of the systems of both companies, competing groups may be provided with information that neither parent organization expected. is Nondisclosure agreements are an important part of any such collaborative effort. The level of security of both systems must be examined before any physical integration takes place, as system connection means that vulnerability on one system becomes vulnerability for all linked systems. Management of Information Security, 2nd ed. - Chapter 10

62 Business Partners (continued)
If the strategic partnership evolves into an integration of the systems of both companies, competing groups may be provided with information that neither parent organization expected Nondisclosure agreements are an important part of any such collaborative effort The level of security of both systems must be examined before any physical integration takes place, as system connection means that vulnerability on one system becomes vulnerability for all linked systems Management of Information Security, 2nd ed. - Chapter 10

63 Summary Introduction Staffing the Security Function
Information Security Professional Credentials Employment Policies and Practices Summary Introduction Staffing the Security Function Information Security Professional Credentials Employment Policies and Practices Management of Information Security, 2nd ed. - Chapter 10

Download ppt "MANAGEMENT of INFORMATION SECURITY Second Edition."

Similar presentations

Work-based learning Click on the speaker on each slide to learn more!

Work-based learning Click on the speaker on each slide to learn more!
Introduction When implementing information security, there are many human resource issues that must be addressed Positioning and naming of the security.

Introduction When implementing information security, there are many human resource issues that must be addressed Positioning and naming of the security.
MANAGEMENT of INFORMATION SECURITY Second Edition.

MANAGEMENT of INFORMATION SECURITY Second Edition.
Management of Information Security Chapter 10 Personnel and Security

Management of Information Security Chapter 10 Personnel and Security
1 ITC358 ICT Management and Information Security Chapter 11 P ERSONNEL AND S ECURITY I’ll take fifty percent efficiency to get one hundred percent loyalty.

1 ITC358 ICT Management and Information Security Chapter 11 P ERSONNEL AND S ECURITY I’ll take fifty percent efficiency to get one hundred percent loyalty.
Management and Leadership

Management and Leadership
Security and Personnel

Security and Personnel
CSE 4482: Computer Security Management: Assessment and Forensics

CSE 4482: Computer Security Management: Assessment and Forensics
INFORMATION SECURITY MANAGEMENT L ECTURE 10: P ERSONNEL & S ECURITY You got to be careful if you don’t know where you’re going, because you might not get.

INFORMATION SECURITY MANAGEMENT L ECTURE 10: P ERSONNEL & S ECURITY You got to be careful if you don’t know where you’re going, because you might not get.
Recruiting and Selecting the Best Employees

Recruiting and Selecting the Best Employees
Hands-On Ethical Hacking and Network Defense

Hands-On Ethical Hacking and Network Defense
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Principles of Information Security, 3rd Edition2 Introduction  When implementing information security, there are many human resource issues that must.

Principles of Information Security, 3rd Edition2 Introduction  When implementing information security, there are many human resource issues that must.
Managing the Information Technology Resource Jerry N. Luftman

Managing the Information Technology Resource Jerry N. Luftman
Information Systems Security Officer

Information Systems Security Officer
Stephen S. Yau 1CSE465-591 Fall 2006 Personnel Security.

Stephen S. Yau 1CSE Fall 2006 Personnel Security.
Security and Personnel

Security and Personnel
Fundamentals of Information Systems, Second Edition

Fundamentals of Information Systems, Second Edition
© 2010 Cengage Learning. Atomic Dog is a trademark used herein under license. All rights reserved. Chapter 4 Analyzing Jobs.

© 2010 Cengage Learning. Atomic Dog is a trademark used herein under license. All rights reserved. Chapter 4 Analyzing Jobs.

Similar presentations

Ads by Google