1. Security and Personnel �Chapter 11 I think we need to be paranoid optimists.
-- Robert J. Eaton
2. Principles of Information Security - Chapter 11 Slide 2 Learning Objectives: Upon completion of this chapter you should be able to:
Understand where and how the information security function is positioned within organizations.
Understand the issues and concerns about staffing the information security function.
Know about the credentials that professionals in the information security field can acquire.
Recognize how an organization’s employment policies and practices can support the information security effort.
Understand the special security precautions necessary for nonemployees.
Recognize the need for the separation of duties.
Understand the special requirements needed for the privacy of personnel data. Learning Objectives:
Upon completion of this chapter you should be able to:
Understand where and how the information security function is positioned within organizations
Understand the issues and concerns about staffing the information security function
Know about the credentials professionals in the information security field can acquire
Recognize how an organization’s employment policies and practices can support the information security effort
Understand the special security precautions necessary for nonemployees
Recognize the need for the separation of duties
Understand the special requirements needed for the privacy of personnel dataLearning Objectives:
Upon completion of this chapter you should be able to:
Understand where and how the information security function is positioned within organizations
Understand the issues and concerns about staffing the information security function
Know about the credentials professionals in the information security field can acquire
Recognize how an organization’s employment policies and practices can support the information security effort
Understand the special security precautions necessary for nonemployees
Recognize the need for the separation of duties
Understand the special requirements needed for the privacy of personnel data
3. Principles of Information Security - Chapter 11 Slide 3 Security Function Within an Organization’s Structure The security function can be placed within the:
IT function
Physical security function
Administrative services function
Insurance and risk management function
Legal department
The challenge is to design a structure that balances the competing needs of the communities of interest
Organizations compromise to balance needs of enforcement with needs for education, training, awareness, and customer service INTRODUCTION
When implementing information security, there are many human resource issues that must be addressed.
First, the entire organization must decide how to position and name the security function.
Second, the communities of interest must plan for the proper staffing for the information security function.
Third, the IT community of interest must understand the impact of information security across every role in the IT function and adjust job descriptions and documented practices accordingly.
Finally, the general management community of interest must work with the information security professionals to integrate solid information security concepts into the personnel management practices of the organization.
Understanding the impact of change to personnel management practices of the organization is important in the success of the implementation phase.
Experience has shown that employees often feel threatened when an organization is creating or enhancing an overall information security program.
Quelling the doubts and reassuring the employees is a fundamental part of the implementation process. It is important to supply adequate resources to gather and respond quickly to employee feedback.
Security Function Within An Organization’s Structure
In Charles Cresson Wood’s book, Information Security Roles and Responsibilities Made Easy the author indicates that the security function can be placed within the:
IT function, as a peer of other functions (networks, applications development, and help desk)
Physical security function, as a peer of physical security or protective services
Administrative services function, as a peer of human resources or purchasing
Insurance and risk management function
Legal department
The challenge is to design a reporting structure for the information security function that balances the competing needs of each of the communities of interest.
Organizations find compromise by placing the information security function where it can best balance the needs of enforcement of organizational policy with the education, training, awareness, and customer service needed to make information security part of the organizational culture.
INTRODUCTION
When implementing information security, there are many human resource issues that must be addressed.
First, the entire organization must decide how to position and name the security function.
Second, the communities of interest must plan for the proper staffing for the information security function.
Third, the IT community of interest must understand the impact of information security across every role in the IT function and adjust job descriptions and documented practices accordingly.
Finally, the general management community of interest must work with the information security professionals to integrate solid information security concepts into the personnel management practices of the organization.
Understanding the impact of change to personnel management practices of the organization is important in the success of the implementation phase.
Experience has shown that employees often feel threatened when an organization is creating or enhancing an overall information security program.
Quelling the doubts and reassuring the employees is a fundamental part of the implementation process. It is important to supply adequate resources to gather and respond quickly to employee feedback.
Security Function Within An Organization’s Structure
In Charles Cresson Wood’s book, Information Security Roles and Responsibilities Made Easy the author indicates that the security function can be placed within the:
IT function, as a peer of other functions (networks, applications development, and help desk)
Physical security function, as a peer of physical security or protective services
Administrative services function, as a peer of human resources or purchasing
Insurance and risk management function
Legal department
The challenge is to design a reporting structure for the information security function that balances the competing needs of each of the communities of interest.
Organizations find compromise by placing the information security function where it can best balance the needs of enforcement of organizational policy with the education, training, awareness, and customer service needed to make information security part of the organizational culture.
4. Principles of Information Security - Chapter 11 Slide 4 Staffing the Security Function Selecting personnel is based on many criteria, including supply and demand
Many professionals enter the security market by gaining skills, experience, and credentials
At the present time the information security industry is in a period of high demand Staffing The Security Function
Selecting information security personnel is based on a number of criteria, including the principles of supply and demand.
Many potential professionals seek to enter the security market by gaining the skills, experience, and credentials to qualify as a new supply.
Until the new supply reaches the demand level, organizations must pay the higher costs associated with the current limited supply.
Once the supply reaches a level at or above demand, the organizations hiring these skills become selective, and the cost they are willing to pay drops.
At the present time the information security industry is in a period of high demand, with few qualified individuals available for organizations seeking their services.
Staffing The Security Function
Selecting information security personnel is based on a number of criteria, including the principles of supply and demand.
Many potential professionals seek to enter the security market by gaining the skills, experience, and credentials to qualify as a new supply.
Until the new supply reaches the demand level, organizations must pay the higher costs associated with the current limited supply.
Once the supply reaches a level at or above demand, the organizations hiring these skills become selective, and the cost they are willing to pay drops.
At the present time the information security industry is in a period of high demand, with few qualified individuals available for organizations seeking their services.
5. Principles of Information Security - Chapter 11 Slide 5 Qualifications and Requirements Issues in information security hiring:
Management should learn more about position requirements and qualifications
Upper management should also learn more about the budgetary needs of the infosec function
Management needs to learn more about the level of influence and prestige the information security function should be given in order to be effective
Organizations typically look for a technically qualified information security generalist
In the information security discipline, over-specialization is often a risk and it is important to balance technical skills with general information security knowledge Qualifications and Requirements
There are a number of factors that influence an organization’s hiring decisions. In many organizations, information security teams lack established roles and responsibilities.
For the information security discipline to move forward, these factors must be addressed:
Management should learn more about position requirements and qualifications for both information security positions and IT positions that impact infosec.
Upper management should also learn more about the budgetary needs of the infosec function.
IT and management need to learn more about the level of influence and prestige the information security function should be given in order to be effective.
In most cases, organizations look for a technically qualified information security generalist, with a solid understanding of how an organization operates.
In many other career fields, the more specialized professionals become, the more marketable they are. But, in the information security discipline, over-specialization is often a risk.
It is important to balance technical skills with general information security knowledge.Qualifications and Requirements
There are a number of factors that influence an organization’s hiring decisions. In many organizations, information security teams lack established roles and responsibilities.
For the information security discipline to move forward, these factors must be addressed:
Management should learn more about position requirements and qualifications for both information security positions and IT positions that impact infosec.
Upper management should also learn more about the budgetary needs of the infosec function.
IT and management need to learn more about the level of influence and prestige the information security function should be given in order to be effective.
In most cases, organizations look for a technically qualified information security generalist, with a solid understanding of how an organization operates.
In many other career fields, the more specialized professionals become, the more marketable they are. But, in the information security discipline, over-specialization is often a risk.
It is important to balance technical skills with general information security knowledge.
6. Principles of Information Security - Chapter 11 Slide 6 Hiring Criteria When hiring infosec professionals, organizations frequently look for individuals who understand:
How an organization operates at all levels
Information security is usually a management problem and is seldom an exclusively technical problem
People and have strong communications and writing skills
The roles of policy and education and training
The threats and attacks facing an organization
How to protect the organization from attacks
How business solutions can be applied to solve specific information security problems
Many of the most common mainstream IT technologies as generalists
The terminology of IT and information security Hiring Criteria
When hiring InfoSec professionals, organizations frequently look for individuals who understand:
How an organization operates at all levels
Information security is usually a management problem and is seldom an exclusively technical problem
People and have strong communications and writing skills
The roles of policy and education and training
The threats and attacks facing an organization
How to protect the organization from attacks
How business solutions can be applied to solve specific information security problems
Many of the most common mainstream IT technologies as generalists
The terminology of IT and information security
Hiring Criteria
When hiring InfoSec professionals, organizations frequently look for individuals who understand:
How an organization operates at all levels
Information security is usually a management problem and is seldom an exclusively technical problem
People and have strong communications and writing skills
The roles of policy and education and training
The threats and attacks facing an organization
How to protect the organization from attacks
How business solutions can be applied to solve specific information security problems
Many of the most common mainstream IT technologies as generalists
The terminology of IT and information security
7. Principles of Information Security - Chapter 11 Slide 7 Entry into the Security Profession Many information security professionals enter the field through one of two career paths:
ex-law enforcement and military personnel
technical professionals working on security applications and processes
Today, students are selecting and tailoring degree programs to prepare for work in security
Organizations can foster greater professionalism in the information security discipline through clearly defined expectations and position descriptions Entry into the Security Profession
Many information security professionals enter the field through one of two career paths:
First, ex-law enforcement and military personnel move from their respective environments into the more business-oriented world of information security, and
Second, technical professionals find themselves working on security applications and processes more often than on traditional IS tasks.
Today, college graduates and upper division students are selecting and tailoring degree programs to prepare for work in the field of security.
The current perception in InfoSec is that a security professional must first be a proven professional in another field of IT.
IT professionals, however, who move into information security tend to focus on the technology to the exclusion of general information security issues.
Organizations can foster greater professionalism in the information security discipline through clearly defined expectations and position descriptions.
Entry into the Security Profession
Many information security professionals enter the field through one of two career paths:
First, ex-law enforcement and military personnel move from their respective environments into the more business-oriented world of information security, and
Second, technical professionals find themselves working on security applications and processes more often than on traditional IS tasks.
Today, college graduates and upper division students are selecting and tailoring degree programs to prepare for work in the field of security.
The current perception in InfoSec is that a security professional must first be a proven professional in another field of IT.
IT professionals, however, who move into information security tend to focus on the technology to the exclusion of general information security issues.
Organizations can foster greater professionalism in the information security discipline through clearly defined expectations and position descriptions.
8. Principles of Information Security - Chapter 11 Slide 8 Information Security Positions The use of standard job descriptions can increase the degree of professionalism in the information security field as well as improve the consistency of roles and responsibilities between organizations
Organizations that are revising the roles and responsibilities of InfoSec staff can consult references Information Security Positions
The use of standard job descriptions can increase the degree of professionalism in the information security field as well as improve the consistency of roles and responsibilities between organizations.
Organizations that are revising the roles and responsibilities of InfoSec staff can consult references like Wood’s book Information Security Roles and Responsibilities Made Easy, or Schwartz, et al’s report “InfoSec Staffing Help Wanted”.
Information Security Positions
The use of standard job descriptions can increase the degree of professionalism in the information security field as well as improve the consistency of roles and responsibilities between organizations.
Organizations that are revising the roles and responsibilities of InfoSec staff can consult references like Wood’s book Information Security Roles and Responsibilities Made Easy, or Schwartz, et al’s report “InfoSec Staffing Help Wanted”.
9. Principles of Information Security - Chapter 11 Slide 9 Figure 11-2
10. Principles of Information Security - Chapter 11 Slide 10 InfoSec Staffing Help Wanted Definers provide the policies, guidelines, and standards
Builders are the real techies, who create and install security solutions
Operators run and administer the security tools, perform security monitoring, and continuously improve processes InfoSec Staffing Help Wanted
“Definers provide the policies, guidelines and standards…They're the people who do the consulting and the risk assessment, who develop the product and technical architectures. These are senior people with a lot of broad knowledge, but often not a lot of depth.
Then you have the builders. They're the real techies, who create and install security solutions.
You have the operators who run and administrate the security tools, the security monitoring function, and the people who continuously improve the processes. This is where all the day-to-day, hard work is done. What I find is we often try to use the same people for all of these roles.”
InfoSec Staffing Help Wanted
“Definers provide the policies, guidelines and standards…They're the people who do the consulting and the risk assessment, who develop the product and technical architectures. These are senior people with a lot of broad knowledge, but often not a lot of depth.
Then you have the builders. They're the real techies, who create and install security solutions.
You have the operators who run and administrate the security tools, the security monitoring function, and the people who continuously improve the processes. This is where all the day-to-day, hard work is done. What I find is we often try to use the same people for all of these roles.”
11. Principles of Information Security - Chapter 11 Slide 11 Chief Information Security Officer The top information security position in the organization, not usually an executive and frequently reports to the Chief Information Officer
The CISO performs the following functions:
Manages the overall InfoSec program
Drafts or approves information security policies
Works with the CIO on strategic plans, develops tactical plans, and works with security managers on operational plans
Develops InfoSec budgets based on funding
Sets priorities for InfoSec projects & technology
Makes decisions in recruiting, hiring, and firing of security staff
Acts as the spokesperson for the security team
Chief Information Security Officer
This position is typically considered the top information security officer in the organization.
The CISO is usually not an executive level position and frequently reports to the Chief Information Officer.
Though CISOs are business managers first and technologists second, they must also be conversant in all areas of security, including technical, planning, and policy.
The CISO performs the following functions:
Manages the overall InfoSec program
Drafts or approves information security policies
Works with the CIO on strategic plans, develops tactical plans, and works with security managers on operational plans
Develops InfoSec budgets based on funding
Sets priorities for the purchase and implementation of InfoSec projects & technology
Makes decisions or recommendations on the recruiting, hiring, and firing of security staff
Acts as the spokesperson for the security team
Qualifications and Position Requirements.
The most common qualification expected for this type of position is the Certified Information Systems Security Professional.
A graduate degree in one of the following areas is also probably required: criminal justice, business, technology, or other related fields.
To qualify for this level position, the candidate demonstrates experience as a security manager and presents experience with planning, policy, and budgets.
Chief Information Security Officer
This position is typically considered the top information security officer in the organization.
The CISO is usually not an executive level position and frequently reports to the Chief Information Officer.
Though CISOs are business managers first and technologists second, they must also be conversant in all areas of security, including technical, planning, and policy.
The CISO performs the following functions:
Manages the overall InfoSec program
Drafts or approves information security policies
Works with the CIO on strategic plans, develops tactical plans, and works with security managers on operational plans
Develops InfoSec budgets based on funding
Sets priorities for the purchase and implementation of InfoSec projects & technology
Makes decisions or recommendations on the recruiting, hiring, and firing of security staff
Acts as the spokesperson for the security team
Qualifications and Position Requirements.
The most common qualification expected for this type of position is the Certified Information Systems Security Professional.
A graduate degree in one of the following areas is also probably required: criminal justice, business, technology, or other related fields.
To qualify for this level position, the candidate demonstrates experience as a security manager and presents experience with planning, policy, and budgets.
12. Principles of Information Security - Chapter 11 Slide 12 Chief Information Security Officer
Qualifications and position requirements
Often a CISSP
A graduate degree
Experience as a security manager Chief Information Security Officer
This position is typically considered the top information security officer in the organization.
The CISO is usually not an executive level position and frequently reports to the Chief Information Officer.
Though CISOs are business managers first and technologists second, they must also be conversant in all areas of security, including technical, planning, and policy.
The CISO performs the following functions:
Manages the overall InfoSec program
Drafts or approves information security policies
Works with the CIO on strategic plans, develops tactical plans, and works with security managers on operational plans
Develops InfoSec budgets based on funding
Sets priorities for the purchase and implementation of InfoSec projects & technology
Makes decisions or recommendations on the recruiting, hiring, and firing of security staff
Acts as the spokesperson for the security team
Qualifications and Position Requirements.
The most common qualification expected for this type of position is the Certified Information Systems Security Professional.
A graduate degree in one of the following areas is also probably required: criminal justice, business, technology, or other related fields.
To qualify for this level position, the candidate demonstrates experience as a security manager and presents experience with planning, policy, and budgets.
Chief Information Security Officer
This position is typically considered the top information security officer in the organization.
The CISO is usually not an executive level position and frequently reports to the Chief Information Officer.
Though CISOs are business managers first and technologists second, they must also be conversant in all areas of security, including technical, planning, and policy.
The CISO performs the following functions:
Manages the overall InfoSec program
Drafts or approves information security policies
Works with the CIO on strategic plans, develops tactical plans, and works with security managers on operational plans
Develops InfoSec budgets based on funding
Sets priorities for the purchase and implementation of InfoSec projects & technology
Makes decisions or recommendations on the recruiting, hiring, and firing of security staff
Acts as the spokesperson for the security team
Qualifications and Position Requirements.
The most common qualification expected for this type of position is the Certified Information Systems Security Professional.
A graduate degree in one of the following areas is also probably required: criminal justice, business, technology, or other related fields.
To qualify for this level position, the candidate demonstrates experience as a security manager and presents experience with planning, policy, and budgets.
13. Principles of Information Security - Chapter 11 Slide 13 Security Manager Accountable for the day-to-day operation of the information security program
Accomplishes objectives as identified by the CISO
Qualifications and position requirements:
It is not uncommon to have a CISSP
Traditionally, managers earned the CISSP while technical professionals earned the Global Information Assurance Certification
Must have the ability to draft middle- and lower-level policies as well as standards and guidelines
They must have experience in budgeting, project management, and hiring and firing
They must also be able to manage technicians, both in the assignment of tasks and the monitoring of activities Security Manager
Security managers are accountable for the day-to-day operation of the information security program.
They accomplish objectives as identified by the CISO and resolve issues identified by technicians.
Within the information security community, there may be team leaders or project managers who are responsible for certain management-like functions, such as scheduling, setting relative priorities, or administering any number of procedural tasks, but are not necessarily held accountable for making a particular technology function.
Qualifications and Position Requirements.
It is not uncommon for a candidate for this position to have a CISSP. Traditionally, managers earned the CISSP while technical professionals earned the Global Information Assurance Certification.
Security managers must have the ability to draft middle and lower level policies as well as standards and guidelines.
They must have experience in traditional business matters: budgeting, project management, and hiring and firing.
They must also be able to manage technicians, both in the assignment of tasks and the monitoring of activities.
Security Manager
Security managers are accountable for the day-to-day operation of the information security program.
They accomplish objectives as identified by the CISO and resolve issues identified by technicians.
Within the information security community, there may be team leaders or project managers who are responsible for certain management-like functions, such as scheduling, setting relative priorities, or administering any number of procedural tasks, but are not necessarily held accountable for making a particular technology function.
Qualifications and Position Requirements.
It is not uncommon for a candidate for this position to have a CISSP. Traditionally, managers earned the CISSP while technical professionals earned the Global Information Assurance Certification.
Security managers must have the ability to draft middle and lower level policies as well as standards and guidelines.
They must have experience in traditional business matters: budgeting, project management, and hiring and firing.
They must also be able to manage technicians, both in the assignment of tasks and the monitoring of activities.
14. Principles of Information Security - Chapter 11 Slide 14 Security Technician Technically qualified individuals tasked to configure security hardware and software
Tend to be specialized, focusing on one major security technology and further specializing in one software or hardware solution
Qualifications and position requirements:
Organizations prefer the expert, certified, proficient technician
Job descriptions cover some level of experience with a particular hardware and software package
Sometimes familiarity with a technology secures an applicant an interview; however, experience in using the technology is usually required Security Technician
Security technicians are the technically qualified individuals tasked to configure security hardware and software and coordinate with administrators to ensure security is properly implemented.
A security technician is the ideal entry-level position; however, some technical skills are usually required.
Just as in networking, security technicians tend to be specialized, focusing on one major security technology group, and further specializing in one software or hardware package within the group.
If a security technician wants to move up, they must gain an understanding of the general, organizational issues of InfoSec as well.
Qualifications and Position Requirements.
The technical qualifications and position requirements for a security technician are varied.
Organizations prefer the expert, certified, proficient technician.
Regardless of the area, the particular job description covers some level of experience with a particular hardware and software package.
Sometimes familiarity with a technology secures an applicant an interview; however, experience in using the technology is usually required.
Security Technician
Security technicians are the technically qualified individuals tasked to configure security hardware and software and coordinate with administrators to ensure security is properly implemented.
A security technician is the ideal entry-level position; however, some technical skills are usually required.
Just as in networking, security technicians tend to be specialized, focusing on one major security technology group, and further specializing in one software or hardware package within the group.
If a security technician wants to move up, they must gain an understanding of the general, organizational issues of InfoSec as well.
Qualifications and Position Requirements.
The technical qualifications and position requirements for a security technician are varied.
Organizations prefer the expert, certified, proficient technician.
Regardless of the area, the particular job description covers some level of experience with a particular hardware and software package.
Sometimes familiarity with a technology secures an applicant an interview; however, experience in using the technology is usually required.
15. Principles of Information Security - Chapter 11 Slide 15 Internal Security Consultant Typically an expert in some aspect of information security
Usually preferable to involve a formal security services company, it is not unusual to find a qualified individual consultant
Must be highly proficient in the managerial aspects of security
Information security consultants usually enter the field after working as experts in the discipline and often have experience as a security manager or CISO Internal Security Consultant
The information security consultant is typically an expert in some aspect of information security, usually brought in when the organization makes the decision to outsource aspects of its security program.
While it is usually preferable to involve a formal security services company, it is not unusual to find a qualified individual consultant.
The security consultant must be highly proficient in the managerial aspects of security and have access to staff that can perform the technical implementations.
It is widely known that most consultancies are idea generators and not implementers.
Information security consultants usually enter the field after working as experts in the discipline.
A good security consultant often has experience as a security manager or CISO.
Some consultants are recruited by service companies, and as a result the job description is based on the needs and services of that particular company.
Internal Security Consultant
The information security consultant is typically an expert in some aspect of information security, usually brought in when the organization makes the decision to outsource aspects of its security program.
While it is usually preferable to involve a formal security services company, it is not unusual to find a qualified individual consultant.
The security consultant must be highly proficient in the managerial aspects of security and have access to staff that can perform the technical implementations.
It is widely known that most consultancies are idea generators and not implementers.
Information security consultants usually enter the field after working as experts in the discipline.
A good security consultant often has experience as a security manager or CISO.
Some consultants are recruited by service companies, and as a result the job description is based on the needs and services of that particular company.
16. Principles of Information Security - Chapter 11 Slide 16 Credentials of Information Security Professionals Many organizations seek recognizable certifications
Most existing certifications are relatively new
Certifications:
CISSP and SSCP
Global Information Assurance Certification
Security Certified Professional
T.I.C.S.A. and T.I.C.S.E.
Security+
Certified Information Systems Auditor
Certified Information Systems Forensics Investigator Credentials Of Information Security Professionals
Many organizations seek recognizable certifications to indicate the level of proficiency associated with the various security positions.
Most existing certifications are relatively new and not fully understood by hiring organizations.
The certifying bodies work hard to educate the general public on the value and qualifications of their certificate recipients.
Employers are trying to understand the match between certifications and the position requirements, and the candidates are trying to gain meaningful employment based on their newly received certifications.
CISSP and SSCP
Considered the most prestigious certification for security managers and CISOs, the CISSP is one of two certifications offered by the International Information Systems Security Certification Consortium. The SSCP is the other.
In order to sit for the CISSP exam, the candidate must possess at least three years of direct full-time security professional work in one or more of ten domains of information security knowledge:
Access control systems and methodology, Applications and systems development, Business continuity planning, Cryptography, Law, investigation, and ethics, Operations security, Physical security, Security architecture and models, Security management practices, and Telecommunications, network and internet security
Once a candidate receives the CISSP, he or she must earn a specific number of continuing education credits every three years to retain the certification.
Like the CISSP, the SSCP certification is more applicable to the security manager than the technician, because most questions focus on the operational nature of InfoSec.
The SSCP focuses “on practices, roles and responsibilities as defined by experts from major IS industries.”
The SSCP covers seven domains: Access controls, Administration, Audit and monitoring, Risk, response, and recovery, Cryptography, Data communications, Malicious code and malware.
Global Information Assurance Certification
SANS developed a series of technical security certifications in 1999, known as the GIAC. At the time, there were no technical certifications.
The GIAC family of certifications can be pursued independently or combined to earn the comprehensive certification, GIAC Security Engineer (GSE).
Like the SSCP, the GIAC Information Security Officer (GISO) is an overview certification that combines basic technical knowledge with understanding of threats, risks, and best practices.
Unlike other certifications, GIAC certifications require the applicant to first complete a written practical assignment before being allowed to take the exam. GIAC Certifications include:
GIAC Security Essentials Certification (GSEC)
GIAC Certified Firewall Analyst (GCFW)
GIAC Certified Intrusion Analyst (GCIA)
GIAC Certified Incident Handler (GCIH)
GIAC Certified Windows Security Administrator (GCWN)
GIAC Certified UNIX Security Administrator (GCUX)
GIAC Information Security Officer - Basic (GISO - Basic)
GIAC Systems and Network Auditor (GSNA)
GIAC Certified Forensic Analyst (GCFA)
GIAC Security Leadership Certificate (GSLC)
To obtain the GIAC Certified Engineer, which is considered the pinnacle of GIAC certifications, candidates must earn all of the above certifications and receive honors recognition in at least one, before they are even allowed to sit for the final certification.
GIAC is designed not only to test knowledge of a field, but also to require application of that knowledge through the practicum.
While there are a growing number of entry-level certifications, GIAC currently offers the only advanced technical certifications.
Security Certified Professional
One of the newest certifications in information security, the SCP certification provides two tracks: the Security Certified Network Professional and the Security Certified Network Architect.
The SCNP track focuses on firewalls and intrusion detection, and requires two exams.
Network Security Fundamentals (NSF)
Network Defense and Countermeasures (NDC)
The SCNA program focuses more on authentication, including biometrics and PKI:
PKI and Biometrics Concepts and Planning (PBC)
PKI and Biometrics Implementation (PBI)
T.I.C.S.A. and T.I.C.S.E.
The TruSecure ICSA certifications are among the first vendor-sponsored certifications, that focuses on providing certifications that are skills- and knowledge-based, technology specific, and pragmatic.
A candidate must demonstrate appropriate experience and training before being allowed to sit for the examinations.
The T.I.C.S.A. certification is highly technical and is targeted towards network and systems administrators.
The examination is also based on the following TruSecure six categories of risk:
Electronic: External and internal, Hacking and sniffing, Spoofing.
Malicious code: Viruses and worms, Java and ActiveX, Trojans.
Physical: Theft and terminal hijack.
Human: Social engineering.
Privacy
Downtime: DoS attacks, Bugs, Power, Civil unrest, Natural disasters
Firewall implementation
Security policy formulation and implementation
Risk analysis
Attack method identification and solutions
Bastion hosts and system hardening techniques
Proxy server filtering properties
Packet filter definition and filtering criteria
Basic packet filter rule set design
VPN deployment
OS security expertise
Applied cryptography (PGP, S/MIME, VPNs)
Key management issues and solutions
Incident response planning
Biometrics
Network and computer forensics
Security+
CompTIA (www.comptia.com) is in the process of defining the body of knowledge necessary for their next certification.
The Security + certification will probably be similar to the Network + certification and to many others in its focus on key skills necessary to perform security, without being tied to a particular software or hardware vendor package.
Certified Information Systems Auditor
The CISA certification contains many information security components.
The Information Systems Audit and Control Association promotes the certification for auditing, networking, and security professionals.
Many of the CISA certifications have requirements common to other security certifications including:
Successful completion of the CISA examination
Experience as an information systems auditor
Agreement to the Code of Professional Ethics and the Information Systems Auditing Standards
Continuing education
The exam covers the following areas of information systems auditing:
The IS audit process (10 percent)
Management, planning, and organization of IS (11 percent)
Technical infrastructure and operational practices (13 percent)
Protection of information assets (25 percent)
Disaster recovery and business continuity (10 percent)
Business application system development, acquisition, implementation, and maintenance (16 percent)
Business process evaluation and risk management (15 percent)
The exam is only offered once a year, so advanced planning is a must.
Certified Information Systems Forensics Investigator
The Information Security Forensics Association is developing an examination for a certified information systems forensics investigator, which evaluates tasks and responsibilities dealing with incident response, working with law enforcement, and auditing incidences.
Although the certification exam has not been fully developed, the common body of knowledge has been tentatively defined to include:
Countermeasures
Auditing
Incident response teams
Law enforcement and investigation
TracebackCredentials Of Information Security Professionals
Many organizations seek recognizable certifications to indicate the level of proficiency associated with the various security positions.
Most existing certifications are relatively new and not fully understood by hiring organizations.
The certifying bodies work hard to educate the general public on the value and qualifications of their certificate recipients.
Employers are trying to understand the match between certifications and the position requirements, and the candidates are trying to gain meaningful employment based on their newly received certifications.
CISSP and SSCP
Considered the most prestigious certification for security managers and CISOs, the CISSP is one of two certifications offered by the International Information Systems Security Certification Consortium. The SSCP is the other.
In order to sit for the CISSP exam, the candidate must possess at least three years of direct full-time security professional work in one or more of ten domains of information security knowledge:
Access control systems and methodology, Applications and systems development, Business continuity planning, Cryptography, Law, investigation, and ethics, Operations security, Physical security, Security architecture and models, Security management practices, and Telecommunications, network and internet security
Once a candidate receives the CISSP, he or she must earn a specific number of continuing education credits every three years to retain the certification.
Like the CISSP, the SSCP certification is more applicable to the security manager than the technician, because most questions focus on the operational nature of InfoSec.
The SSCP focuses “on practices, roles and responsibilities as defined by experts from major IS industries.”
The SSCP covers seven domains: Access controls, Administration, Audit and monitoring, Risk, response, and recovery, Cryptography, Data communications, Malicious code and malware.
Global Information Assurance Certification
SANS developed a series of technical security certifications in 1999, known as the GIAC. At the time, there were no technical certifications.
The GIAC family of certifications can be pursued independently or combined to earn the comprehensive certification, GIAC Security Engineer (GSE).
Like the SSCP, the GIAC Information Security Officer (GISO) is an overview certification that combines basic technical knowledge with understanding of threats, risks, and best practices.
Unlike other certifications, GIAC certifications require the applicant to first complete a written practical assignment before being allowed to take the exam. GIAC Certifications include:
GIAC Security Essentials Certification (GSEC)
GIAC Certified Firewall Analyst (GCFW)
GIAC Certified Intrusion Analyst (GCIA)
GIAC Certified Incident Handler (GCIH)
GIAC Certified Windows Security Administrator (GCWN)
GIAC Certified UNIX Security Administrator (GCUX)
GIAC Information Security Officer - Basic (GISO - Basic)
GIAC Systems and Network Auditor (GSNA)
GIAC Certified Forensic Analyst (GCFA)
GIAC Security Leadership Certificate (GSLC)
To obtain the GIAC Certified Engineer, which is considered the pinnacle of GIAC certifications, candidates must earn all of the above certifications and receive honors recognition in at least one, before they are even allowed to sit for the final certification.
GIAC is designed not only to test knowledge of a field, but also to require application of that knowledge through the practicum.
While there are a growing number of entry-level certifications, GIAC currently offers the only advanced technical certifications.
Security Certified Professional
One of the newest certifications in information security, the SCP certification provides two tracks: the Security Certified Network Professional and the Security Certified Network Architect.
The SCNP track focuses on firewalls and intrusion detection, and requires two exams.
Network Security Fundamentals (NSF)
Network Defense and Countermeasures (NDC)
The SCNA program focuses more on authentication, including biometrics and PKI:
PKI and Biometrics Concepts and Planning (PBC)
PKI and Biometrics Implementation (PBI)
T.I.C.S.A. and T.I.C.S.E.
The TruSecure ICSA certifications are among the first vendor-sponsored certifications, that focuses on providing certifications that are skills- and knowledge-based, technology specific, and pragmatic.
A candidate must demonstrate appropriate experience and training before being allowed to sit for the examinations.
The T.I.C.S.A. certification is highly technical and is targeted towards network and systems administrators.
The examination is also based on the following TruSecure six categories of risk:
Electronic: External and internal, Hacking and sniffing, Spoofing.
Malicious code: Viruses and worms, Java and ActiveX, Trojans.
Physical: Theft and terminal hijack.
Human: Social engineering.
Privacy
Downtime: DoS attacks, Bugs, Power, Civil unrest, Natural disasters
Firewall implementation
Security policy formulation and implementation
Risk analysis
Attack method identification and solutions
Bastion hosts and system hardening techniques
Proxy server filtering properties
Packet filter definition and filtering criteria
Basic packet filter rule set design
VPN deployment
OS security expertise
Applied cryptography (PGP, S/MIME, VPNs)
Key management issues and solutions
Incident response planning
Biometrics
Network and computer forensics
Security+
CompTIA (www.comptia.com) is in the process of defining the body of knowledge necessary for their next certification.
The Security + certification will probably be similar to the Network + certification and to many others in its focus on key skills necessary to perform security, without being tied to a particular software or hardware vendor package.
Certified Information Systems Auditor
The CISA certification contains many information security components.
The Information Systems Audit and Control Association promotes the certification for auditing, networking, and security professionals.
Many of the CISA certifications have requirements common to other security certifications including:
Successful completion of the CISA examination
Experience as an information systems auditor
Agreement to the Code of Professional Ethics and the Information Systems Auditing Standards
Continuing education
The exam covers the following areas of information systems auditing:
The IS audit process (10 percent)
Management, planning, and organization of IS (11 percent)
Technical infrastructure and operational practices (13 percent)
Protection of information assets (25 percent)
Disaster recovery and business continuity (10 percent)
Business application system development, acquisition, implementation, and maintenance (16 percent)
Business process evaluation and risk management (15 percent)
The exam is only offered once a year, so advanced planning is a must.
Certified Information Systems Forensics Investigator
The Information Security Forensics Association is developing an examination for a certified information systems forensics investigator, which evaluates tasks and responsibilities dealing with incident response, working with law enforcement, and auditing incidences.
Although the certification exam has not been fully developed, the common body of knowledge has been tentatively defined to include:
Countermeasures
Auditing
Incident response teams
Law enforcement and investigation
Traceback
17. Principles of Information Security - Chapter 11 Slide 17 Cost of Being Certified Certifications cost money, and the better certifications can be quite expensive - cost for training can also be significant
Even an experienced professional finds it difficult to sit for one of these exams without some preparation
Many candidates teach themselves through trade press books others prefer the structure of formal training
Before attempting a certification exam, do your homework and review the exam criteria, its purpose and requirements in order to ensure that the time and energy spent pursuing the certification are well spent Cost of Being Certified
Certifications cost money, and the better certifications can be quite expensive. The cost for formal training to prepare for the certification can also be significant.
While you should not attempt to earn a certification without professional experience, these courses can help candidates round out their knowledge and fill in gaps.
Even an experienced professional would find it difficult to sit for one of these exams without some preparation.
Many candidates teach themselves through trade press books.
Others prefer the structure of formal training, because it includes practicing the technical components on equipment the candidate may not be able to access.
Before attempting a certification exam, do your homework.
Look at the exam criteria, its purpose and requirements in order to ensure that the time and energy spent pursuing the certification are well spent.
Cost of Being Certified
Certifications cost money, and the better certifications can be quite expensive. The cost for formal training to prepare for the certification can also be significant.
While you should not attempt to earn a certification without professional experience, these courses can help candidates round out their knowledge and fill in gaps.
Even an experienced professional would find it difficult to sit for one of these exams without some preparation.
Many candidates teach themselves through trade press books.
Others prefer the structure of formal training, because it includes practicing the technical components on equipment the candidate may not be able to access.
Before attempting a certification exam, do your homework.
Look at the exam criteria, its purpose and requirements in order to ensure that the time and energy spent pursuing the certification are well spent.
18. Principles of Information Security - Chapter 11 Slide 18 Figure 11-3
19. Principles of Information Security - Chapter 11 Slide 19 Advice for Information Security Professionals As a future information security professional, you can benefit from suggestions on entering the information security job market:
Always remember: business first, technology last
It’s all about the information
Be heard and not seen
Know more than you say, be more skillful than you let on
Speak to users, not at them
Your education is never complete Advice for Information Security Professionals
As a future information security professional, you can benefit from suggestions on entering information security job market.
Always remember: business first, technology last.
It’s all about the information
Be heard and not seen.
Know more than you say, be more skillful than you let on.
Speak to users, not at them.
Your education is never complete.
Advice for Information Security Professionals
As a future information security professional, you can benefit from suggestions on entering information security job market.
Always remember: business first, technology last.
It’s all about the information
Be heard and not seen.
Know more than you say, be more skillful than you let on.
Speak to users, not at them.
Your education is never complete.
20. Principles of Information Security - Chapter 11 Slide 20 Employment Policies and Practices The general management community of interest should integrate solid information security concepts into the organization’s employment policies and practices
If the organization can include security as a documented part of every employee’s job description, then perhaps information security will be taken more seriously EMPLOYMENT POLICIES AND PRACTICES
The general management community of interest should integrate solid information security concepts into the organization’s employment policies and practices.
If the organization can include security as a documented part of every employee’s job description, then perhaps information security will be taken more seriously.
EMPLOYMENT POLICIES AND PRACTICES
The general management community of interest should integrate solid information security concepts into the organization’s employment policies and practices.
If the organization can include security as a documented part of every employee’s job description, then perhaps information security will be taken more seriously.
21. Principles of Information Security - Chapter 11 Slide 21 Hiring and Termination Issues From an information security perspective, the hiring of employees is a responsibility laden with potential security pitfalls
The CISO and information security manager should establish a dialogue with the Human Resources department to provide an information security viewpoint for hiring personnel Hiring and Termination Issues
From an information security perspective, the hiring of employees is a responsibility laden with potential security pitfalls.
The CISO and information security manager should establish a dialogue with the Human Resources department to provide an information security viewpoint for hiring personnel.
Hiring and Termination Issues
From an information security perspective, the hiring of employees is a responsibility laden with potential security pitfalls.
The CISO and information security manager should establish a dialogue with the Human Resources department to provide an information security viewpoint for hiring personnel.
22. Principles of Information Security - Chapter 11 Slide 22 Figure 11-4
23. Principles of Information Security - Chapter 11 Slide 23 Job Descriptions Inserting information security perspectives into the hiring process begins with reviewing and updating all job descriptions
To prevent people from applying for positions based solely on access to sensitive information, the organization should avoid revealing access privileges to prospective employees when advertising positions Job Descriptions
Inserting information security perspectives into the hiring process begins with reviewing and updating all job descriptions.
To prevent people from applying for positions based solely on access to sensitive information, the organization should avoid revealing access privileges to prospective employees when advertising positions.
Job Descriptions
Inserting information security perspectives into the hiring process begins with reviewing and updating all job descriptions.
To prevent people from applying for positions based solely on access to sensitive information, the organization should avoid revealing access privileges to prospective employees when advertising positions.
24. Principles of Information Security - Chapter 11 Slide 24 Interviews An opening within Information Security opens up a unique opportunity for the security manager to educate HR on the certifications, experience, and qualifications of a good candidate
Information security should advise HR to limit information provided to the candidate on the responsibilities and access rights the new hire would have
For those organizations that include on-site visits as part of interviews, it is important to use caution when showing a candidate around the facility Interviews
The next point of contact with a potential employee is the job interview.
An opening within Information Security opens up a unique opportunity for the security manager to educate HR on the certifications, experience, and qualifications of a good candidate.
For other areas, information security should advise HR to limit information provided to the candidate on the responsibilities and access rights the new hire would have.
For those organizations that include on-site visits as part of interviews, it is important to use caution when showing a candidate around the facility.
Interviews
The next point of contact with a potential employee is the job interview.
An opening within Information Security opens up a unique opportunity for the security manager to educate HR on the certifications, experience, and qualifications of a good candidate.
For other areas, information security should advise HR to limit information provided to the candidate on the responsibilities and access rights the new hire would have.
For those organizations that include on-site visits as part of interviews, it is important to use caution when showing a candidate around the facility.
25. Principles of Information Security - Chapter 11 Slide 25 Background Checks A background check is an investigation into a candidate’s past
There are regulations that govern such investigations
Background checks differ in the level of detail and depth with which the candidate is examined:
Identity checks
Education and credential checks
Previous employment verification
References checks
Worker’s Compensation history
Motor vehicle records
Drug history
Credit history
Civil court history
Criminal court history Background Checks
A background check is an investigation into the candidate’s past, specifically looking for criminal behavior that could indicate potential for future misconduct.
There are a number of regulations that govern what the organization can investigate, and how much of the information can influence the hiring decision, requiring the security and HR managers to discuss these matters with counsel.
Background checks differ in the level of detail and depth with which the candidate is examined:
Identity checks
Education and credential checks
Previous employment verification
References checks
Worker’s Compensation history
Motor vehicle records
Drug history
Credit history
Civil court history
Criminal court history
Background Checks
A background check is an investigation into the candidate’s past, specifically looking for criminal behavior that could indicate potential for future misconduct.
There are a number of regulations that govern what the organization can investigate, and how much of the information can influence the hiring decision, requiring the security and HR managers to discuss these matters with counsel.
Background checks differ in the level of detail and depth with which the candidate is examined:
Identity checks
Education and credential checks
Previous employment verification
References checks
Worker’s Compensation history
Motor vehicle records
Drug history
Credit history
Civil court history
Criminal court history
26. Principles of Information Security - Chapter 11 Slide 26 Fair Credit Reporting Act Federal regulations exist in the use of personal information in employment practices, including the Fair Credit Reporting Act (FCRA)
Background reports contain information on a job candidate’s credit history, employment history, and other personal data
FCRA prohibits employers from obtaining these reports unless the candidate is informed Fair Credit Reporting Act
There are federal regulations regarding the use of personal information in employment practices, include the Fair Credit Reporting Act (FCRA), which governs consumer credit reporting agencies, and uses of the information from these agencies.
These reports contain information on a job candidate’s credit history, employment history, and other personal data.
Among other things, the FCRA prohibits employers from obtaining these reports unless the candidate is informed in writing that such a report will be requested as part of the employment process.
The FCRA also restricts the periods of time these reports can address.
Fair Credit Reporting Act
There are federal regulations regarding the use of personal information in employment practices, include the Fair Credit Reporting Act (FCRA), which governs consumer credit reporting agencies, and uses of the information from these agencies.
These reports contain information on a job candidate’s credit history, employment history, and other personal data.
Among other things, the FCRA prohibits employers from obtaining these reports unless the candidate is informed in writing that such a report will be requested as part of the employment process.
The FCRA also restricts the periods of time these reports can address.
27. Principles of Information Security - Chapter 11 Slide 27 Employment Contracts Once a candidate has accepted the job offer, the employment contract becomes an important security instrument
Many security policies require an employee to agree in writing
If an existing employee refuses to sign these contracts, the security personnel are placed in a difficult situation
New employees, however may find policies classified as “employment contingent upon agreement,” whereby the employee is not offered the position unless he/she agrees to the binding organizational policies Employment Contracts
Once a candidate has accepted the job offer, the employment contract becomes an important security instrument.
Many policies require an employee to agree in writing. If an existing employee refuses to sign these contracts, the security personnel are placed in a difficult situation.
New employees, however may find policies classified as “employment contingent upon agreement,” whereby the employee is not offered the position unless he agrees to the binding organizational policies.
Employment Contracts
Once a candidate has accepted the job offer, the employment contract becomes an important security instrument.
Many policies require an employee to agree in writing. If an existing employee refuses to sign these contracts, the security personnel are placed in a difficult situation.
New employees, however may find policies classified as “employment contingent upon agreement,” whereby the employee is not offered the position unless he agrees to the binding organizational policies.
28. Principles of Information Security - Chapter 11 Slide 28 New Hire Orientation As new employees are introduced into the organization’s culture and workflow, they should receive an extensive information security briefing on all major policies, procedures, and requirements for information security
The levels of authorized access are outlined, and training provided on the secure use of information systems
By the time employees are ready to report to their positions, they should be thoroughly briefed, and ready to perform their duties securely New Hire Orientation
As new employees are introduced into the organization’s culture and workflow, they should receive an extensive information security briefing on all major policies, procedures and requirements for information security within the new position.
The levels of authorized access are outlined, and training provided on the secure use of information systems.
By the time employees are ready to report to their positions, they should be thoroughly briefed, and ready to perform their duties securely.
New Hire Orientation
As new employees are introduced into the organization’s culture and workflow, they should receive an extensive information security briefing on all major policies, procedures and requirements for information security within the new position.
The levels of authorized access are outlined, and training provided on the secure use of information systems.
By the time employees are ready to report to their positions, they should be thoroughly briefed, and ready to perform their duties securely.
29. Principles of Information Security - Chapter 11 Slide 29 On-the-Job Security Training As part of the new hire’s ongoing job orientation, and as part of every employee’s security responsibilities, the organization should conduct periodic security awareness training
Keeping security at the forefront of employees’ minds and minimizing employee mistakes is an important part of the information security awareness mission
Formal external and informal internal seminars also increase the level of security awareness for all employees, especially security employees On-the-Job Security Training
As part of the new hire’s ongoing job orientation, and as part of every employee’s security responsibilities, the organization should conduct periodic security awareness and training.
Keeping security at the forefront of employees’ minds and minimizing employee mistakes is an important part of the information security mission.
Formal external and informal internal seminars also increase the level of security awareness for all employees, especially security employees.
On-the-Job Security Training
As part of the new hire’s ongoing job orientation, and as part of every employee’s security responsibilities, the organization should conduct periodic security awareness and training.
Keeping security at the forefront of employees’ minds and minimizing employee mistakes is an important part of the information security mission.
Formal external and informal internal seminars also increase the level of security awareness for all employees, especially security employees.
30. Principles of Information Security - Chapter 11 Slide 30 Performance Evaluation To heighten information security awareness and change workplace behavior, organizations should incorporate information security components into employee performance evaluations
Employees pay close attention to job performance evaluations, and if the evaluations include information security tasks, employees are more motivated to perform these tasks at a satisfactory level Performance Evaluation
To heighten information security awareness and change workplace behavior, organizations should incorporate information security components into employee performance evaluations.
Employees pay close attention to job performance evaluations, and if the evaluations include information security tasks, employees are more motivated to perform these tasks at a satisfactory level.
Performance Evaluation
To heighten information security awareness and change workplace behavior, organizations should incorporate information security components into employee performance evaluations.
Employees pay close attention to job performance evaluations, and if the evaluations include information security tasks, employees are more motivated to perform these tasks at a satisfactory level.
31. Principles of Information Security - Chapter 11 Slide 31 Termination When an employee leaves an organization, there are a number of security-related issues
The key is protection of all information to which the employee had access
When an employee leaves, several tasks must be performed:
Access to the organization’s systems disabled
Removable media returned
Hard drives secured
File cabinet locks changed
Office door lock changed
Keycard access revoked
Personal effects removed from the organization’s premises
Once cleared, they should be escorted from the premises
In addition many organizations use an exit interview Termination
When an employee leaves an organization, there are a number of security-related issues. Key among these is the continuity of protection of all information to which the employee had access.
When an employee prepares to leave, the following tasks must be performed:
Access to the organization’s systems disabled
Removable media returned
Hard drives secured
File cabinet locks changed
Office door lock changed
Keycard access revoked
Personal effects removed from the organization’s premises
Once the employee has delivered keys, keycards, and other business property, he or she should be escorted from the premises.
In addition to the tasks listed above, many organizations use an exit interview to remind the employee of contractual obligations, such as nondisclosure agreements and to obtain feedback on the employee’s tenure in the organization.
At this time, the employee should be reminded that that should he or she fail to comply with contractual obligations, civil or criminal action may result.
From a security standpoint, security cannot risk the exposure of organizational information. The simplest and best method to handle the outprocessing of an employee is to select one of the scenarios that follows, based on the employee’s reasons for leaving.
Termination
When an employee leaves an organization, there are a number of security-related issues. Key among these is the continuity of protection of all information to which the employee had access.
When an employee prepares to leave, the following tasks must be performed:
Access to the organization’s systems disabled
Removable media returned
Hard drives secured
File cabinet locks changed
Office door lock changed
Keycard access revoked
Personal effects removed from the organization’s premises
Once the employee has delivered keys, keycards, and other business property, he or she should be escorted from the premises.
In addition to the tasks listed above, many organizations use an exit interview to remind the employee of contractual obligations, such as nondisclosure agreements and to obtain feedback on the employee’s tenure in the organization.
At this time, the employee should be reminded that that should he or she fail to comply with contractual obligations, civil or criminal action may result.
From a security standpoint, security cannot risk the exposure of organizational information. The simplest and best method to handle the outprocessing of an employee is to select one of the scenarios that follows, based on the employee’s reasons for leaving.
32. Principles of Information Security - Chapter 11 Slide 32 Hostile Departure Hostile departure (nonvoluntary)- termination, downsizing, lay off, or quitting:
Before the employee is aware all logical and keycard access is terminated
As soon as the employee reports for work, he is escorted into his supervisor’s office
Upon receiving notice, he is escorted to his area, and allowed to collect personal belongings
Employee asked to surrender all keys, keycards, and other company property
They are then escorted out of the building Hostile Departure
Hostile departure (non-voluntary) for termination, downsizing, lay off, or quitting:
Before the employee knows he is leaving, security terminates all logical and keycard access.
As soon as the employee reports for work, he is escorted into his supervisor’s office for the news.
Upon receiving notice, he is escorted to his area, and allowed to collect personal effects.
No organizational property is taken from the premises.
Employee asked to surrender all keys, keycards, and other company property.
They are then escorted out of the building.
Hostile Departure
Hostile departure (non-voluntary) for termination, downsizing, lay off, or quitting:
Before the employee knows he is leaving, security terminates all logical and keycard access.
As soon as the employee reports for work, he is escorted into his supervisor’s office for the news.
Upon receiving notice, he is escorted to his area, and allowed to collect personal effects.
No organizational property is taken from the premises.
Employee asked to surrender all keys, keycards, and other company property.
They are then escorted out of the building.
33. Principles of Information Security - Chapter 11 Slide 33 Friendly Departure Friendly departure (voluntary) for retirement, promotion, or relocation:
employee may have tendered notice well in advance of the actual departure date
actually makes it more difficult for security to maintain positive control over the employee’s access and information usage
employee access is usually allowed to continue with a new expiration date
employees come and go at will and collect their own belongings, and leave on their own
They are asked to drop off all organizational property “on their way out the door” Friendly Departure
Friendly departure (voluntary) for retirement, promotion, or relocation:
In this case, the employee may have tendered notice well in advance of the actual departure date. This actually makes it more difficult for security to maintain positive control over the employee’s access and information usage.
Employee accounts are usually allowed to continue with a new expiration date.
Employees come and go at will and collect their own belongings, and leave on their own.
They are asked to drop off all organizational property “on their way out the door.”
Friendly Departure
Friendly departure (voluntary) for retirement, promotion, or relocation:
In this case, the employee may have tendered notice well in advance of the actual departure date. This actually makes it more difficult for security to maintain positive control over the employee’s access and information usage.
Employee accounts are usually allowed to continue with a new expiration date.
Employees come and go at will and collect their own belongings, and leave on their own.
They are asked to drop off all organizational property “on their way out the door.”
34. Principles of Information Security - Chapter 11 Slide 34 Termination In all circumstance, the offices and information used by the employee must be inventoried, their files stored or destroyed, and all property returned to organizational stores
It is possible that the employees foresee departure well in advance, and begin collecting organizational information or anything that could be valuable in their future employment
Only by scrutinizing systems logs after the employee has departed, and sorting out authorized actions from systems misuse or information theft can the organization determine if there has been a breach of policy or a loss of information
In the event that information is illegally copied or stolen, the action should be declared an incident and the appropriate policy followed Termination
In either circumstance, the offices and information used by the employee must be inventoried, their files stored or destroyed, and all property returned to organizational stores.
It is possible in either situation that the employees foresee departure well in advance, and begin collecting organizational information or anything that could be valuable in their future employment.
Only by scrutinizing systems logs after the employee has departed, and sorting out authorized actions from systems misuse or information theft can the organization determine if there has been a breach of policy or a loss of information.
In the event that information is illegally copied or stolen, the action should be declared an incident and the appropriate policy followed.
Termination
In either circumstance, the offices and information used by the employee must be inventoried, their files stored or destroyed, and all property returned to organizational stores.
It is possible in either situation that the employees foresee departure well in advance, and begin collecting organizational information or anything that could be valuable in their future employment.
Only by scrutinizing systems logs after the employee has departed, and sorting out authorized actions from systems misuse or information theft can the organization determine if there has been a breach of policy or a loss of information.
In the event that information is illegally copied or stolen, the action should be declared an incident and the appropriate policy followed.
35. Principles of Information Security - Chapter 11 Slide 35 Security Considerations For Nonemployees A number of individuals who are not subject to rigorous screening, contractual obligations, and eventual secured termination often have access to sensitive organizational information
Relationships with individuals in this category should be carefully managed to prevent a possible information leak or theft Security Considerations For Nonemployees
A number of individuals who are not subject to rigorous screening, contractual obligations, and eventual secured termination often have access to sensitive organizational information.
Relationships with individuals in this category should be carefully managed to prevent a possible information leak or theft.
Security Considerations For Nonemployees
A number of individuals who are not subject to rigorous screening, contractual obligations, and eventual secured termination often have access to sensitive organizational information.
Relationships with individuals in this category should be carefully managed to prevent a possible information leak or theft.
36. Principles of Information Security - Chapter 11 Slide 36 Temporary Employees Temporary employees are hired by the organization to serve in a temporary position or to supplement the existing workforce
As they are not employed by the host organization, they are often not subject to the contractual obligations or general policies and if these individuals breach a policy or cause a problem actions are limited
From a security standpoint, access to information for these individuals should be limited to that necessary to perform their duties
Ensure that the temp’s supervisor restricts the information to which they have access Temporary Employees
Temporary employees are hired by the organization to serve in a temporary position or to supplement the existing workforce.
These employees may be the paid employees of a “temp agency” or similar organization.
As they are not employed by the host organization, they are often not subject to the contractual obligations or general policies of other employees.
If these individuals breach a policy or cause a problem, the strongest action the host organization can take is to terminate the relationships with the individuals and request that they be censured.
From a security standpoint, access to information for these individuals should be limited to that necessary to perform their duties.
The organization can attempt to have temporary employees sign non-disclosure agreements and fair use policies, but they may refuse, forcing the organization to either dismiss the temp worker or allow him to work without the agreement.
Ensure that the temp’s supervisor restricts the information to which he has access and makes sure all employees follow good security practices, especially clean desk policies and the security of classified data.
Temporary Employees
Temporary employees are hired by the organization to serve in a temporary position or to supplement the existing workforce.
These employees may be the paid employees of a “temp agency” or similar organization.
As they are not employed by the host organization, they are often not subject to the contractual obligations or general policies of other employees.
If these individuals breach a policy or cause a problem, the strongest action the host organization can take is to terminate the relationships with the individuals and request that they be censured.
From a security standpoint, access to information for these individuals should be limited to that necessary to perform their duties.
The organization can attempt to have temporary employees sign non-disclosure agreements and fair use policies, but they may refuse, forcing the organization to either dismiss the temp worker or allow him to work without the agreement.
Ensure that the temp’s supervisor restricts the information to which he has access and makes sure all employees follow good security practices, especially clean desk policies and the security of classified data.
37. Principles of Information Security - Chapter 11 Slide 37 Contract Employees Contract employees are typically hired to perform specific services for the organization
The host company often makes a contract with a parent organization rather than with an individual for a particular task
In a secure facility, all contract employees are escorted from room to room, as well as into and out of the facility
There is also the need for certain restrictions or requirements to be negotiated into the contract agreements when they are activated Contract Employees
Contract employees are typically hired to perform specific services for the organization.
The host company often makes a contract with a parent organization rather than with an individual for a particular task.
Although some individuals may require access to virtually all areas of the organization to do their jobs, they seldom need access to information or information resources.
Contract employees may need access to various facilities; however, this does not mean they should be allowed to wander freely in and out of buildings.
In a secure facility, all contract employees are escorted from room to room, as well as into and out of the facility.
There is also the need for certain restrictions or requirements to be negotiated into the contract agreements when they are activated.
Contract Employees
Contract employees are typically hired to perform specific services for the organization.
The host company often makes a contract with a parent organization rather than with an individual for a particular task.
Although some individuals may require access to virtually all areas of the organization to do their jobs, they seldom need access to information or information resources.
Contract employees may need access to various facilities; however, this does not mean they should be allowed to wander freely in and out of buildings.
In a secure facility, all contract employees are escorted from room to room, as well as into and out of the facility.
There is also the need for certain restrictions or requirements to be negotiated into the contract agreements when they are activated.
38. Principles of Information Security - Chapter 11 Slide 38 Consultants Consultants should be handled like contract employees, with special requirements for information or facility access requirements integrated into the contract before these individual are allowed outside the conference room
Security and technology consultants especially must be prescreened, escorted, and subjected to nondisclosure agreements to protect the organization
Just because you pay a security consultant, doesn’t make the protection of your information his or her number one priority Consultants
Consultants should be handled like contract employees, with special requirements for information or facility access requirements integrated into the contract before these individual are allowed outside the conference room.
Security and technology consultants especially must be prescreened, escorted, and subjected to non-disclosure agreements to protect the organization from possible intentional or accidental breaches of confidentiality.
Just because you pay a security consultant, doesn’t make the protection of your information his or her number one priority.
Consultants
Consultants should be handled like contract employees, with special requirements for information or facility access requirements integrated into the contract before these individual are allowed outside the conference room.
Security and technology consultants especially must be prescreened, escorted, and subjected to non-disclosure agreements to protect the organization from possible intentional or accidental breaches of confidentiality.
Just because you pay a security consultant, doesn’t make the protection of your information his or her number one priority.
39. Principles of Information Security - Chapter 11 Slide 39 Business Partners Businesses find themselves in strategic alliances with other organizations, desiring to exchange information, integrate systems, or simply to discuss operations for mutual advantage
There must be a meticulous, deliberate process of determining what information is to be exchanged, in what format, and to whom
Nondisclosure agreements and the level of security of both systems must be examined before any physical integration takes place, as system connection means that the vulnerability of one system is the vulnerability of all Business Partners
On occasion, businesses find themselves in strategic alliances with other organizations, desiring to exchange information, integrate systems, or simply to discuss operations for mutual advantage.
There must be a meticulous, deliberate process of determining what information is to be exchanged, in what format, and to whom.
Non-disclosure agreements abound, and the level of security of both systems must be examined before any physical integration takes place, as system connection means that the vulnerability of one system is the vulnerability of all.
Business Partners
On occasion, businesses find themselves in strategic alliances with other organizations, desiring to exchange information, integrate systems, or simply to discuss operations for mutual advantage.
There must be a meticulous, deliberate process of determining what information is to be exchanged, in what format, and to whom.
Non-disclosure agreements abound, and the level of security of both systems must be examined before any physical integration takes place, as system connection means that the vulnerability of one system is the vulnerability of all.
40. Principles of Information Security - Chapter 11 Slide 40 Separation of Duties and Collusion The completion of a significant task that involves sensitive information should require two people using the check and balance method to avoid collusion
A similar concept is that of two-man control, when two individuals review and approve each other’s work before the task is categorized as finished
Another control used is job rotation where employees know each others job skills
A mandatory vacation, of at least one week, provides the ability to audit the work
Need-to-know and least privilege ensures that no unnecessary access to data occurs, and that only those individuals who must access the data do so Separation Of Duties And Collusion
Separation of duties is a cornerstone in the protection of information assets and in preventing loss.
The completion of a significant task that involves sensitive information should require two people.
If one person has the authorization to access a particular set of information, there may be nothing to prevent this individual from copying it and removing it from the premises.
The check and balance method requires two or more people to conspire to commit an incident, which is known as collusion. The odds that two people are willing and able to misuse or abuse the system are much lower than one.
Related to the concept of separation of duties is that of two-man control, the requirement that two individuals review and approve each other’s work before the task is categorized as finished. This is distinct from separation of duties, in which the two work in sequence.
In two-man control, each person completely finishes the necessary work, and then submits it to the co-worker.
Each co-worker examines the work performed, double checking the actions performed, and making sure no errors or inconsistencies exist.
Another control used to prevent personnel from misusing information assets is job rotation or task rotation, the requirement that every employee be able to perform the work of another employee.
Ensuring that all critical tasks have multiple individuals capable of performing the tasks can greatly increase the chance that one employee could detect misuse of the system or abuse of the information of another.
A mandatory vacation, of at least one week, provides the ability to audit the work of an individual.
Individuals who are stealing or misusing information or systems are reluctant to take vacations, for fear that their actions are detected.
Employees should be provided access to the minimal amount of information for the minimal amount of time necessary for them to perform their duties.
Similar to the concept of need-to-know, least privilege ensures that no unnecessary access to data occurs, and that only those individuals who must access the data do so.
The whole purpose of information security is to allow those people with a need to use information to do so without concern for the loss of confidentiality, integrity, and availability.
Everyone who can access data probably will, resulting in numerous potential losses.
Separation Of Duties And Collusion
Separation of duties is a cornerstone in the protection of information assets and in preventing loss.
The completion of a significant task that involves sensitive information should require two people.
If one person has the authorization to access a particular set of information, there may be nothing to prevent this individual from copying it and removing it from the premises.
The check and balance method requires two or more people to conspire to commit an incident, which is known as collusion. The odds that two people are willing and able to misuse or abuse the system are much lower than one.
Related to the concept of separation of duties is that of two-man control, the requirement that two individuals review and approve each other’s work before the task is categorized as finished. This is distinct from separation of duties, in which the two work in sequence.
In two-man control, each person completely finishes the necessary work, and then submits it to the co-worker.
Each co-worker examines the work performed, double checking the actions performed, and making sure no errors or inconsistencies exist.
Another control used to prevent personnel from misusing information assets is job rotation or task rotation, the requirement that every employee be able to perform the work of another employee.
Ensuring that all critical tasks have multiple individuals capable of performing the tasks can greatly increase the chance that one employee could detect misuse of the system or abuse of the information of another.
A mandatory vacation, of at least one week, provides the ability to audit the work of an individual.
Individuals who are stealing or misusing information or systems are reluctant to take vacations, for fear that their actions are detected.
Employees should be provided access to the minimal amount of information for the minimal amount of time necessary for them to perform their duties.
Similar to the concept of need-to-know, least privilege ensures that no unnecessary access to data occurs, and that only those individuals who must access the data do so.
The whole purpose of information security is to allow those people with a need to use information to do so without concern for the loss of confidentiality, integrity, and availability.
Everyone who can access data probably will, resulting in numerous potential losses.
41. Principles of Information Security - Chapter 11 Slide 41 Figure 11-6
42. Principles of Information Security - Chapter 11 Slide 42 Privacy and the Security of Personnel Data Organizations are required by law to protect employee information that is sensitive or personal
This includes employee addresses, phone numbers, social security numbers, medical conditions, and even names and addresses of family and relatives
This responsibility also extends to customers, patients, and business relationships Privacy And The Security Of Personnel Data
Another personnel and security topic is the security of personnel and personal data.
Organizations are required by law to protect employee information that is sensitive or personal.
This includes employee addresses, phone numbers, social security numbers, medical conditions, and even names and addresses of family and relatives.
This responsibility also extends to customers, patients, and business relationships.
Privacy And The Security Of Personnel Data
Another personnel and security topic is the security of personnel and personal data.
Organizations are required by law to protect employee information that is sensitive or personal.
This includes employee addresses, phone numbers, social security numbers, medical conditions, and even names and addresses of family and relatives.
This responsibility also extends to customers, patients, and business relationships.
