8/6/2019 SCR4473 Information Security Personnel
1/59
8/6/2019 SCR4473 Information Security Personnel
2/59
Entry into the Security Profession
Many information security professionals enter the fieldthrough one of two career paths: ex-law enforcement and military personnel technical professionals working on security applications and
processes Today, students are selecting and tailoring degree
programs to prepare for work in security
Organizations can foster greater professionalism in theinformation security discipline through clearly definedexpectations and position descriptions
8/6/2019 SCR4473 Information Security Personnel
3/59
8/6/2019 SCR4473 Information Security Personnel
4/59
Figure 11-2
8/6/2019 SCR4473 Information Security Personnel
5/59
InfoSec Staffing Help Wanted
Definers provide the policies, guidelines,and standards
Builders are the real techies, whocreate and install security solutions
Operators run and administer the
security tools, perform securitymonitoring, and continuously improveprocesses
8/6/2019 SCR4473 Information Security Personnel
6/59
Chief Information Security Officer
The top information security position in the organization, notusually an executive and frequently reports to the Chief Information Officer
The CISO performs the following functions: Manages the overall InfoSec program Drafts or approves information security policies Works with the CIO on strategic plans, develops tactical plans, and
works with security managers on operational plans Develops InfoSec budgets based on funding Sets priorities for InfoSec projects & technology
Makes decisions in recruiting, hiring, and firing of security staff Acts as the spokesperson for the security team
8/6/2019 SCR4473 Information Security Personnel
7/59
Security Manager
Accountable for the day-to-day operation of the information securityprogram
Accomplishes objectives as identified by the CISO Qualifications and position requirements:
It is not uncommon to have a CISSP Traditionally, managers earned the CISSP while technical professionals earned
the Global Information Assurance Certification Must have the ability to draft middle- and lower-level policies as well as
standards and guidelines
They must have experience in budgeting, project management, and hiring andfiring
They must also be able to manage technicians, both in the assignment of tasksand the monitoring of activities
8/6/2019 SCR4473 Information Security Personnel
8/59
Security Technician
Technically qualified individuals tasked to configuresecurity hardware and software
Tend to be specialized, focusing on one major security
technology and further specializing in one software or hardware solution Qualifications and position requirements:
Organizations prefer the expert, certified, proficient technician Job descriptions cover some level of experience with a particular hardware
and software package Sometimes familiarity with a technology secures an applicant an interview;
however, experience in using the technology is usually required
8/6/2019 SCR4473 Information Security Personnel
9/59
Internal Security Consultant
Typically an expert in some aspect of information security
Usually preferable to involve a formal security services company,it is not unusual to find a qualified individual consultant
Must be highly proficient in the managerial aspects of security
Information security consultants usually enter the field after working as experts in the discipline and often have experienceas a security manager or CISO
8/6/2019 SCR4473 Information Security Personnel
10/59
Credentials of Information SecurityProfessionals
Many organizations seek recognizable certifications Most existing certifications are relatively new Certifications:
CISSP and SSCP Global Information Assurance Certification Security Certified Professional T.I.C.S.A. and T.I.C.S.E. Security+ Certified Information Systems Auditor Certified Information Systems Forensics Investigator
8/6/2019 SCR4473 Information Security Personnel
11/59
Advice for Information SecurityProfessionals
As a future information security professional, youcan benefit from suggestions on entering theinformation security job market: Always remember: business first, technology last Its all about the information Be heard and not seen Know more than you say, be more skillful than you let on Speak to users, not at them Your education is never complete
8/6/2019 SCR4473 Information Security Personnel
12/59
Staffing the Security Function
Selecting personnel is based on manycriteria, including supply and demand
Many professionals enter the securitymarket by gaining skills, experience, andcredentials
At the present time the informationsecurity industry is in a period of highdemand
8/6/2019 SCR4473 Information Security Personnel
13/59
Qualifications and Requirements
Organizations typically look for atechnically qualified information security
generalist In the information security discipline,over-specialization is often a risk and itis important to balance technical skillswith general information securityknowledge
8/6/2019 SCR4473 Information Security Personnel
14/59
Interaction of Security Components
Protective(Security)
Components
SecurityPersonnel
EmployeeSupport
Alarms &Hardware
SecurityPolicy &
Procedures
C o m p l i a
n c e C o n t r o l
sE n f o r c e m e n t
S a f e g u a r d s
U t i l i z a t i o n R e i n f
o r c e m
e n t
R e s p o
n s e
8/6/2019 SCR4473 Information Security Personnel
15/59
Personnel Security Procedure
The organization develops, disseminates, andperiodically reviews and updates:
1. A formal, documented, personnel security policy
2. Formal, documented procedures to facilitate theimplementation of the personnel security policyand associated personnel security controls.
3. Formal procedure to review and document list of approved personnel with access to informationsystems.
8/6/2019 SCR4473 Information Security Personnel
16/59
Personnel Security Procedure
PERSONNEL SECURITY POLICY addresses:
The purpose of the security programme as it relatesto protecting the organizations personnel and assets.
The scope of the security programme as it applies toall the organizational staff and third-party contractors.
The roles, responsibilities, and management
accountability structure of the security programme toensure compliance with the organizations securitypolicy and other regulatory commitments.
8/6/2019 SCR4473 Information Security Personnel
17/59
Personnel Security
Involves those measures taken tosafeguard a companysemployees and those coming to a
place of business either for business reasons or as a guests Probably the most recent
concerns classified under
personnel security are executiveprotection and back- groundinvestigations.
8/6/2019 SCR4473 Information Security Personnel
18/59
Personnel
Customers Visitors Employees Executives
Contractors & Consultants
Unauthorized persons
8/6/2019 SCR4473 Information Security Personnel
19/59
Customers and Visitors
Due diligence is the rule of thumb when itcomes to protecting people who come toyour premises.
History of security incidents where peoplehave been the target.
Efforts to provide adequate security canprevent or reduce liability.
Workplace violence prevention plan.
8/6/2019 SCR4473 Information Security Personnel
20/59
8/6/2019 SCR4473 Information Security Personnel
21/59
Personnel Life Cycle
Hire
Transfer
Terminate Place in JobPersonnelLife Cycle
8/6/2019 SCR4473 Information Security Personnel
22/59
Hiring Practices
Organizations must take special careduring the interview to determine eachcandidates level of personal andprofessional integrity.
The sensitive nature and value of theassets that employees will be handingrequire an in-depth screening process.
8/6/2019 SCR4473 Information Security Personnel
23/59
Hiring Practices (Cont.)
At a minimum, the screening process shouldinclude a series of comprehen- sive
interviews that emphasize integrity as well astechnical qualifications. References from former employers should
be examined and verified. This includes former teachers, friends, co-workers, & supervisors.
8/6/2019 SCR4473 Information Security Personnel
24/59
Hiring Practices (Cont.)
Former employers are usually in thebest position to rate the applicant
accurately, providing a candid assess-ment of strengths and weaknesses,personal ethics, past earnings, etc.
Unfortunately many employers havebecome increasing cautious aboutreleasing necessitating release forms.
8/6/2019 SCR4473 Information Security Personnel
25/59
Hiring Practices (Cont.)
Use of a reference authorization andhold-harmless agreement oftentimes
provides the necessary information. Be sure reference authorizations have:
signature of applicant, releases former &
prospective employers, and clearlyspecifies the type of information that maybe reveal.
8/6/2019 SCR4473 Information Security Personnel
26/59
Hiring Criteria
When hiring infosec professionals, organizationsfrequently look for individuals who understand: How an organization operates at all levels Information security is usually a management problem and is seldom an
exclusively technical problem People and have strong communications and writing skills The roles of policy and education and training The threats and attacks facing an organization How to protect the organization from attacks
How business solutions can be applied to solve specific informationsecurity problems Many of the most common mainstream IT technologies as generalists The terminology of IT and information security
8/6/2019 SCR4473 Information Security Personnel
27/59
Hiring Practices (Cont.)
What to Look For? A Straw personPerhaps?
Education
ExperienceTraining
Professional Certifications
Stable Work History
Clear Criminal RecordFiscal Responsibility
Background Continuity
Physical Fitness
8/6/2019 SCR4473 Information Security Personnel
28/59
Employment Policies and Practices
The general management community of interestshould integrate solid information securityconcepts into the organizations employmentpolicies and practices
If the organization can include security as adocumented part of every employees job
description, then perhaps information security willbe taken more seriously
8/6/2019 SCR4473 Information Security Personnel
29/59
Figure 11-4
8/6/2019 SCR4473 Information Security Personnel
30/59
Job Descriptions
Inserting information security perspectivesinto the hiring process begins with reviewing
and updating all job descriptions To prevent people from applying for positions
based solely on access to sensitive
information, the organization should avoidrevealing access privileges to prospectiveemployees when advertising positions
8/6/2019 SCR4473 Information Security Personnel
31/59
Interviews
An opening within Information Security opens up aunique opportunity for the security manager to educateHR on the certifications, experience, and qualifications of
a good candidate Information security should advise HR to limit information
provided to the candidate on the responsibilities andaccess rights the new hire would have
For those organizations that include on-site visits as partof interviews, it is important to use caution when showinga candidate around the facility
8/6/2019 SCR4473 Information Security Personnel
32/59
Background Checks
A background check is an investigation into a candidates past There are regulations that govern such investigations Background checks differ in the level of detail and depth with which the
candidate is examined:
Identity checks Education and credential checks Previous employment verification References checks Workers Compensation history Motor vehicle records Drug history Credit history Civil court history Criminal court history
8/6/2019 SCR4473 Information Security Personnel
33/59
Fair Credit Reporting Act
Federal regulations exist in the use of personalinformation in employment practices, including theFair Credit Reporting Act (FCRA)
Background reports contain information on a jobcandidates credit history, employment history, andother personal data
FCRA prohibits employers from obtaining these
reports unless the candidate is informed
8/6/2019 SCR4473 Information Security Personnel
34/59
Employment Contracts
Once a candidate has accepted the job offer, the employmentcontract becomes an important security instrument
Many security policies require an employee to agree in writing If an existing employee refuses to sign these contracts, the security
personnel are placed in a difficult situation New employees, however may find policies classified as
employment contingent upon agreement, whereby theemployee is not offered the position unless he/she agrees tothe binding organizational policies
8/6/2019 SCR4473 Information Security Personnel
35/59
8/6/2019 SCR4473 Information Security Personnel
36/59
On-the-Job Security Training
As part of the new hires ongoing job orientation, and as partof every employees security responsibilities, the organizationshould conduct periodic security awareness training
Keeping security at the forefront of employees minds andminimizing employee mistakes is an important part of theinformation security awareness mission
Formal external and informal internal seminars also increasethe level of security awareness for all employees, especiallysecurity employees
8/6/2019 SCR4473 Information Security Personnel
37/59
Performance Evaluation
To heighten information security awareness andchange workplace behavior, organizations shouldincorporate information security components into
employee performance evaluations Employees pay close attention to job performance
evaluations, and if the evaluations includeinformation security tasks, employees are moremotivated to perform these tasks at a satisfactorylevel
8/6/2019 SCR4473 Information Security Personnel
38/59
Personnel Transfer
The organization reviews logical and physicalaccess permissions to information systems and
facilities when individuals are reassigned or transferred to other positions within theorganization and initiates appropriate actions.
Complete execution of this control within certainperiod of time for employees or contractors who nolonger need to access security systems resources.
8/6/2019 SCR4473 Information Security Personnel
39/59
Personnel Transfer
Appropriate actions may include:
1. Returning old and issuing new keys, identification
cards, and building passes2. Closing old accounts and establishing new
accounts
3. Changing system access privileges4. Providing access to official records created or
controlled by the employee at the former worklocation and in the former accounts.
8/6/2019 SCR4473 Information Security Personnel
40/59
Personnel Terminate
When an employee leaves an organization, there are a number of security-related issues
The key is protection of all information to which the employee hadaccess
When an employee leaves, several tasks must be performed: Access to the organizations systems disabled Removable media returned Hard drives secured File cabinet locks changed Office door lock changed Keycard access revoked
Personal effects removed from the organizations premises Once cleared, they should be escorted from the premises In addition many organizations use an exit interview
8/6/2019 SCR4473 Information Security Personnel
41/59
Hostile Departure
Hostile departure (nonvoluntary)- termination, downsizing,lay off, or quitting: Before the employee is aware all logical and keycard access is
terminated As soon as the employee reports for work, he is escorted into
his supervisors office Upon receiving notice, he is escorted to his area, and allowed to
collect personal belongings
Employee asked to surrender all keys, keycards, and other company property
They are then escorted out of the building
8/6/2019 SCR4473 Information Security Personnel
42/59
Friendly Departure
Friendly departure (voluntary) for retirement, promotion,or relocation: employee may have tendered notice well in advance of the
actual departure date
actually makes it more difficult for security to maintain positivecontrol over the employees access and information usage
employee access is usually allowed to continue with a newexpiration date
employees come and go at will and collect their ownbelongings, and leave on their own
They are asked to drop off all organizational property on their way out the door
8/6/2019 SCR4473 Information Security Personnel
43/59
Termination
In all circumstance, the offices and information used by theemployee must be inventoried, their files stored or destroyed,and all property returned to organizational stores
It is possible that the employees foresee departure well inadvance, and begin collecting organizational information or anything that could be valuable in their future employment
Only by scrutinizing systems logs after the employee hasdeparted, and sorting out authorized actions from systemsmisuse or information theft can the organization determine if there has been a breach of policy or a loss of information
In the event that information is illegally copied or stolen, theaction should be declared an incident and the appropriatepolicy followed
8/6/2019 SCR4473 Information Security Personnel
44/59
8/6/2019 SCR4473 Information Security Personnel
45/59
Temporary Employees
Temporary employees are hired by the organization to serve ina temporary position or to supplement the existing workforce
As they are not employed by the host organization, they areoften not subject to the contractual obligations or generalpolicies and if these individuals breach a policy or cause aproblem actions are limited
From a security standpoint, access to information for theseindividuals should be limited to that necessary to perform their duties
Ensure that the temps supervisor restricts the information towhich they have access
8/6/2019 SCR4473 Information Security Personnel
46/59
Contract Employees
Contract employees are typically hired to perform specificservices for the organization
The host company often makes a contract with a parent
organization rather than with an individual for a particular task In a secure facility, all contract employees are escorted from
room to room, as well as into and out of the facility
There is also the need for certain restrictions or requirements to be negotiated into the contract agreementswhen they are activated
8/6/2019 SCR4473 Information Security Personnel
47/59
Consultants
Consultants should be handled like contract employees, withspecial requirements for information or facility accessrequirements integrated into the contract before theseindividual are allowed outside the conference room
Security and technology consultants especially must beprescreened, escorted, and subjected to nondisclosureagreements to protect the organization
Just because you pay a security consultant, doesnt make theprotection of your information his or her number one priority
8/6/2019 SCR4473 Information Security Personnel
48/59
Business Partners
Businesses find themselves in strategic alliances with other organizations, desiring to exchange information, integratesystems, or simply to discuss operations for mutualadvantage
There must be a meticulous, deliberate process of determining what information is to be exchanged, in whatformat, and to whom
Nondisclosure agreements and the level of security of bothsystems must be examined before any physical integrationtakes place, as system connection means that thevulnerability of one system is the vulnerability of all
8/6/2019 SCR4473 Information Security Personnel
49/59
Separation of Duties and Collusion
The completion of a significant task that involves sensitive informationshould require two people using the check and balance method to avoidcollusion
A similar concept is that of two-man control, when two individuals reviewand approve each others work before the task is categorized as finished
Another control used is job rotation where employees know each others job skills
A mandatory vacation, of at least one week, provides the ability to audit thework
Need-to-know and least privilege ensures that no unnecessary access to
data occurs, and that only those individuals who must access the data doso
8/6/2019 SCR4473 Information Security Personnel
50/59
Figure 11-6
8/6/2019 SCR4473 Information Security Personnel
51/59
Privacy and the Security of PersonnelData
Organizations are required by law to protectemployee information that is sensitive or personal
This includes employee addresses, phonenumbers, social security numbers, medicalconditions, and even names and addresses of family and relatives
This responsibility also extends to customers,patients, and business relationships
8/6/2019 SCR4473 Information Security Personnel
52/59
Hiring and Termination Issues
From an information security perspective,the hiring of employees is a responsibilityconcerned with potential security pitfalls
The CISO and information security manager should establish a dialogue with the HumanResources department to provide aninformation security viewpoint for hiringpersonnel
8/6/2019 SCR4473 Information Security Personnel
53/59
Hire
Transfer
Terminate Place in JobPersonnelLife Cycle
What about contractors/third- party/vendors?
8/6/2019 SCR4473 Information Security Personnel
54/59
Third-Party/Vendors
Third-party providers may include:
service bureaus
contractors
other organizations providing:
control system operation and maintenance
IT services, development, outsourced applications
network and security management
8/6/2019 SCR4473 Information Security Personnel
55/59
8/6/2019 SCR4473 Information Security Personnel
56/59
8/6/2019 SCR4473 Information Security Personnel
57/59
Contracting and Outsourcing
Required provisions
Protect assets from unauthorized access, disclosure,modification, destruction or interference
Execute particular security processes or activities
Ensure responsibility is assigned to the individual for actions taken
Report security events or potential events or other securityrisks to the organization.
8/6/2019 SCR4473 Information Security Personnel
58/59
Summary
PERSONNEL SECURITY and INFORMATION SECURITY management should cooperate toidentify:
Specific job positions/roles/contracts which may needadditional screening/training
Information Security common and special trainingrequirements
System access and termination procedures
Adequate disciplinary measures
8/6/2019 SCR4473 Information Security Personnel
59/59
Summary
Insider threat and other human issues arethe leading causes of information
security breaches:Take your personnel security issues
seriously!