This action might not be possible to undo. Are you sure you want to continue?
by Dr. Norafida Ithnin
INSPIRING CREATIVE AND INNOVATIVE MINDS
Entry into the Security Profession
• Many information security professionals enter the field through one of two career paths:
– ex-law enforcement and military personnel – technical professionals working on security applications and processes
• Today, students are selecting and tailoring degree programs to prepare for work in security • Organizations can foster greater professionalism in the information security discipline through clearly defined expectations and position descriptions
Information Security Positions
• The use of standard job descriptions can increase the degree of professionalism in the information security field as well as improve the consistency of roles and responsibilities between organizations • Organizations that are revising the roles and responsibilities of InfoSec staff can consult references
InfoSec Staffing Help Wanted
• Definers provide the policies, guidelines, and standards • Builders are the real techies, who create and install security solutions • Operators run and administer the security tools, perform security monitoring, and continuously improve processes
hiring. develops tactical plans.Chief Information Security Officer • The top information security position in the organization. and firing of security staff – Acts as the spokesperson for the security team . and works with security managers on operational plans – Develops InfoSec budgets based on funding – Sets priorities for InfoSec projects & technology – Makes decisions in recruiting. not usually an executive and frequently reports to the Chief Information Officer • The CISO performs the following functions: – Manages the overall InfoSec program – Drafts or approves information security policies – Works with the CIO on strategic plans.
managers earned the CISSP while technical professionals earned the Global Information Assurance Certification – Must have the ability to draft middle.Security Manager • Accountable for the day-to-day operation of the information security program • Accomplishes objectives as identified by the CISO • Qualifications and position requirements: – It is not uncommon to have a CISSP – Traditionally. and hiring and firing – They must also be able to manage technicians.and lower-level policies as well as standards and guidelines – They must have experience in budgeting. project management. both in the assignment of tasks and the monitoring of activities .
however.Security Technician • Technically qualified individuals tasked to configure security hardware and software • Tend to be specialized. focusing on one major security technology and further specializing in one software or hardware solution • Qualifications and position requirements: – Organizations prefer the expert. certified. proficient technician – Job descriptions cover some level of experience with a particular hardware and software package – Sometimes familiarity with a technology secures an applicant an interview. experience in using the technology is usually required .
it is not unusual to find a qualified individual consultant • Must be highly proficient in the managerial aspects of security • Information security consultants usually enter the field after working as experts in the discipline and often have experience as a security manager or CISO .Internal Security Consultant • Typically an expert in some aspect of information security • Usually preferable to involve a formal security services company.
Credentials of Information Security Professionals • Many organizations seek recognizable certifications • Most existing certifications are relatively new • Certifications: – – – – – – – CISSP and SSCP Global Information Assurance Certification Security Certified Professional T.I. Security+ Certified Information Systems Auditor Certified Information Systems Forensics Investigator .E.S.A.S.C. and T.C.I.
not at them Your education is never complete . technology last It’s all about the information Be heard and not seen Know more than you say. you can benefit from suggestions on entering the information security job market: – – – – – – Always remember: business first.Advice for Information Security Professionals • As a future information security professional. be more skillful than you let on Speak to users.
including supply and demand • Many professionals enter the security market by gaining skills. experience.Staffing the Security Function • Selecting personnel is based on many criteria. and credentials • At the present time the information security industry is in a period of high demand .
Qualifications and Requirements • Organizations typically look for a technically qualified information security generalist • In the information security discipline. over-specialization is often a risk and it is important to balance technical skills with general information security knowledge .
Interaction of Security Components Alarms & Hardware or nf se ei on R esp R ce t en m Ut iliz a tio n Security Personnel Sa fe Protective (Security) Components ls t ro n e Co nc a pli m Co Employee Support gu a rd En s for cem en t Security Policy & Procedures .
and periodically reviews and updates: 1.Personnel Security Procedure The organization develops. personnel security policy 2. documented. Formal procedure to review and document list of approved personnel with access to information systems. . documented procedures to facilitate the implementation of the personnel security policy and associated personnel security controls. disseminates. 3. A formal. Formal.
responsibilities. The roles. The scope of the security programme as it applies to all the organizational staff and third-party contractors. and management accountability structure of the security programme to ensure compliance with the organization’s security policy and other regulatory commitments. .Personnel Security Procedure PERSONNEL SECURITY POLICY addresses: – – – The purpose of the security programme as it relates to protecting the organization’s personnel and assets.
.Personnel Security • Involves those measures taken to safeguard a company’s employees and those coming to a place of business either for business reasons or as a guests • Probably the most recent concerns classified under personnel security are executive protection and back.ground investigations.
Personnel • • • • • • Customers Visitors Employees Executives Contractors & Consultants Unauthorized persons .
Customers and Visitors • “Due diligence” is the rule of thumb when it comes to protecting people who come to your premises. • Efforts to provide adequate security can prevent or reduce liability. • Workplace violence prevention plan. • History of security incidents where people have been the target. .
Employees • Human factors. including both human error and failure. requiring constant care and management. . probably the greatest single source of risk. • An organization’s employees are now considered a corporate resource and asset.
Personnel Life Cycle Hire Terminate Personnel Life Cycle Place in Job Transfer .
.Hiring Practices • Organizations must take special care during the interview to determine each candidate’s level of personal and professional integrity. • The sensitive nature and value of the assets that employees will be handing require an in-depth screening process.
friends.sive interviews that emphasize integrity as well as technical qualifications. & supervisors. the screening process should include a series of comprehen. coworkers. • References from former employers should be examined and verified.Hiring Practices (Cont.) • At a minimum. . • This includes former teachers.
etc.Hiring Practices (Cont. providing a candid assessment of strengths and weaknesses. • Unfortunately many employers have become increasing cautious about releasing necessitating release forms. personal ethics. .) • Former employers are usually in the best position to rate the applicant accurately. past earnings.
. releases former & prospective employers. and clearly specifies the type of information that may be reveal. • Be sure reference authorizations have: signature of applicant.) • Use of a reference authorization and hold-harmless agreement oftentimes provides the necessary information.Hiring Practices (Cont.
organizations frequently look for individuals who understand: – How an organization operates at all levels – Information security is usually a management problem and is seldom an exclusively technical problem – People and have strong communications and writing skills – The roles of policy and education and training – The threats and attacks facing an organization – How to protect the organization from attacks – How business solutions can be applied to solve specific information security problems – Many of the most common mainstream IT technologies as generalists – The terminology of IT and information security .Hiring Criteria • When hiring infosec professionals.
Hiring Practices (Cont.) What to Look For? A Straw person Perhaps? Education Training Stable Work History Professional Certifications Clear Criminal Record Fiscal Responsibility Background Continuity Physical Fitness Experience .
Employment Policies and Practices • The general management community of interest should integrate solid information security concepts into the organization’s employment policies and practices • If the organization can include security as a documented part of every employee’s job description. then perhaps information security will be taken more seriously .
Figure 11-4 .
the organization should avoid revealing access privileges to prospective employees when advertising positions .Job Descriptions • Inserting information security perspectives into the hiring process begins with reviewing and updating all job descriptions • To prevent people from applying for positions based solely on access to sensitive information.
it is important to use caution when showing a candidate around the facility . and qualifications of a good candidate • Information security should advise HR to limit information provided to the candidate on the responsibilities and access rights the new hire would have • For those organizations that include on-site visits as part of interviews.Interviews • An opening within Information Security opens up a unique opportunity for the security manager to educate HR on the certifications. experience.
Background Checks • A background check is an investigation into a candidate’s past • There are regulations that govern such investigations • Background checks differ in the level of detail and depth with which the candidate is examined: – – – – – – – – – – Identity checks Education and credential checks Previous employment verification References checks Worker’s Compensation history Motor vehicle records Drug history Credit history Civil court history Criminal court history .
and other personal data • FCRA prohibits employers from obtaining these reports unless the candidate is informed . including the Fair Credit Reporting Act (FCRA) • Background reports contain information on a job candidate’s credit history. employment history.Fair Credit Reporting Act • Federal regulations exist in the use of personal information in employment practices.
however may find policies classified as “employment contingent upon agreement.Employment Contracts • Once a candidate has accepted the job offer. the employment contract becomes an important security instrument • Many security policies require an employee to agree in writing – If an existing employee refuses to sign these contracts.” whereby the employee is not offered the position unless he/she agrees to the binding organizational policies . the security personnel are placed in a difficult situation • New employees.
and ready to perform their duties securely . procedures. they should be thoroughly briefed.Place in Job . they should receive an extensive information security briefing on all major policies. and training provided on the secure use of information systems • By the time employees are ready to report to their positions. and requirements for information security • The levels of authorized access are outlined.New Hire Orientation • As new employees are introduced into the organization’s culture and workflow.
the organization should conduct periodic security awareness training • Keeping security at the forefront of employees’ minds and minimizing employee mistakes is an important part of the information security awareness mission • Formal external and informal internal seminars also increase the level of security awareness for all employees. and as part of every employee’s security responsibilities. especially security employees .On-the-Job Security Training • As part of the new hire’s ongoing job orientation.
and if the evaluations include information security tasks.Performance Evaluation • To heighten information security awareness and change workplace behavior. employees are more motivated to perform these tasks at a satisfactory level . organizations should incorporate information security components into employee performance evaluations • Employees pay close attention to job performance evaluations.
Personnel Transfer • The organization reviews logical and physical access permissions to information systems and facilities when individuals are reassigned or transferred to other positions within the organization and initiates appropriate actions. • Complete execution of this control within certain period of time for employees or contractors who no longer need to access security systems resources. .
Changing system access privileges 4. identification cards. Providing access to official records created or controlled by the employee at the former work location and in the former accounts. Returning old and issuing new keys. and building passes 2. Closing old accounts and establishing new accounts 3. .Personnel Transfer Appropriate actions may include: 1.
several tasks must be performed: – – – – – – – Access to the organization’s systems disabled Removable media returned Hard drives secured File cabinet locks changed Office door lock changed Keycard access revoked Personal effects removed from the organization’s premises • Once cleared. there are a number of security-related issues • The key is protection of all information to which the employee had access • When an employee leaves.Personnel Terminate • When an employee leaves an organization. they should be escorted from the premises • In addition many organizations use an exit interview .
keycards. lay off. and other company property – They are then escorted out of the building . he is escorted to his area.termination. and allowed to collect personal belongings – Employee asked to surrender all keys.Hostile Departure • Hostile departure (nonvoluntary). or quitting: – Before the employee is aware all logical and keycard access is terminated – As soon as the employee reports for work. he is escorted into his supervisor’s office – Upon receiving notice. downsizing.
promotion. and leave on their own – They are asked to drop off all organizational property “on their way out the door” .Friendly Departure • Friendly departure (voluntary) for retirement. or relocation: – employee may have tendered notice well in advance of the actual departure date – actually makes it more difficult for security to maintain positive control over the employee’s access and information usage – employee access is usually allowed to continue with a new expiration date – employees come and go at will and collect their own belongings.
and all property returned to organizational stores • It is possible that the employees foresee departure well in advance. the offices and information used by the employee must be inventoried. and sorting out authorized actions from systems misuse or information theft can the organization determine if there has been a breach of policy or a loss of information • In the event that information is illegally copied or stolen.Termination • In all circumstance. their files stored or destroyed. the action should be declared an incident and the appropriate policy followed . and begin collecting organizational information or anything that could be valuable in their future employment • Only by scrutinizing systems logs after the employee has departed.
and eventual secured termination often have access to sensitive organizational information • Relationships with individuals in this category should be carefully managed to prevent a possible information leak or theft .Security Considerations For Non-employees • A number of individuals who are not subject to rigorous screening. contractual obligations.
Temporary Employees • Temporary employees are hired by the organization to serve in a temporary position or to supplement the existing workforce • As they are not employed by the host organization. they are often not subject to the contractual obligations or general policies and if these individuals breach a policy or cause a problem actions are limited • From a security standpoint. access to information for these individuals should be limited to that necessary to perform their duties • Ensure that the temp’s supervisor restricts the information to which they have access .
as well as into and out of the facility • There is also the need for certain restrictions or requirements to be negotiated into the contract agreements when they are activated . all contract employees are escorted from room to room.Contract Employees • Contract employees are typically hired to perform specific services for the organization • The host company often makes a contract with a parent organization rather than with an individual for a particular task • In a secure facility.
doesn’t make the protection of your information his or her number one priority . and subjected to nondisclosure agreements to protect the organization • Just because you pay a security consultant. with special requirements for information or facility access requirements integrated into the contract before these individual are allowed outside the conference room • Security and technology consultants especially must be prescreened.Consultants • Consultants should be handled like contract employees. escorted.
as system connection means that the vulnerability of one system is the vulnerability of all . desiring to exchange information. and to whom • Nondisclosure agreements and the level of security of both systems must be examined before any physical integration takes place. or simply to discuss operations for mutual advantage • There must be a meticulous.Business Partners • Businesses find themselves in strategic alliances with other organizations. in what format. deliberate process of determining what information is to be exchanged. integrate systems.
of at least one week. when two individuals review and approve each other’s work before the task is categorized as finished • Another control used is job rotation where employees know each others job skills • A mandatory vacation.Separation of Duties and Collusion • The completion of a significant task that involves sensitive information should require two people using the check and balance method to avoid collusion • A similar concept is that of two-man control. provides the ability to audit the work • Need-to-know and least privilege ensures that no unnecessary access to data occurs. and that only those individuals who must access the data do so .
Figure 11-6 .
phone numbers.Privacy and the Security of Personnel Data • Organizations are required by law to protect employee information that is sensitive or personal • This includes employee addresses. patients. social security numbers. medical conditions. and business relationships . and even names and addresses of family and relatives • This responsibility also extends to customers.
Hiring and Termination Issues • From an information security perspective. the hiring of employees is a responsibility concerned with potential security pitfalls • The CISO and information security manager should establish a dialogue with the Human Resources department to provide an information security viewpoint for hiring personnel .
What about contractors/thirdparty/vendors? Hire Terminate Personnel Life Cycle Place in Job Transfer .
development.Third-Party/Vendors Third-party providers may include: • service bureaus • contractors • other organizations providing: – control system operation and maintenance – IT services. outsourced applications – network and security management .
Third-Party/Vendors The organization must explicitly include personnel security requirements in acquisition-related contract and agreement documents. .
• Implement and act in accordance with the organization’s information security policies .Contracting and Outsourcing Required provisions • Security roles and responsibilities of employees. contractors and 3rd party users should be defined and documented in accordance with the organization’s information security policy.
Contracting and Outsourcing Required provisions • Protect assets from unauthorized access. modification. disclosure. destruction or interference • Execute particular security processes or activities • Ensure responsibility is assigned to the individual for actions taken • Report security events or potential events or other security risks to the organization. .
Summary PERSONNEL SECURITY and INFORMATION SECURITY management should cooperate to identify: – Specific job positions/roles/contracts which may need additional screening/training – Information Security common and special training requirements – System access and termination procedures – Adequate disciplinary measures .
Summary Insider threat and other human issues are the leading causes of information security breaches: Take your personnel security issues seriously! .
This action might not be possible to undo. Are you sure you want to continue?
Lo hemos llevado donde lee en su other device.
Obtenga el título completo para seguir escuchando desde donde terminó, o reinicie la previsualización.