management and info security

biratpant

chapter11.pptx

Home >Information Systems homework help >management and info security

ITC358 ICT Management and Information Security

Chapter 11

Personnel and Security

I’ll take fifty percent efficiency to get one hundred percent loyalty.

- Samuel Goldwyn, U.S. film producer

Objectives

Upon completion of this chapter, you should be able to:

Identify the skills and requirements for information security positions

List the various information security professional certifications, and identify which skills are encompassed by each

Discuss and implement information security constraints on the general hiring processes

Explain the role of information security in employee terminations

Describe the security practices used to control employee behavior and prevent misuse of information

Introduction

Maintaining a secure environment

Requires that the InfoSec department be carefully structured and staffed with appropriately credentialed personnel

Proper procedures must be integrated into all human resources activities

Including hiring, training, promotion, and termination practices

Staffing the Security Function

Selecting an effective mix of information security personnel

Requires consideration of several criteria

Some are within the control of the organisation

Others are not

Supply and demand for personnel with critical information security skills

When demand rises quickly, initial supply often fails to meet it

As demand becomes known, professionals enter the job market or refocus their job skills to gain the required skills, experience, and credentials

Staffing the Security Function (cont’d.)

To move the InfoSec discipline forward, managers should:

Learn more about the requirements and qualifications for information security positions and relevant IT positions

Learn more about information security budgetary and personnel needs

Grant the information security function (and CISO) an appropriate level of influence and prestige

Qualifications and Requirements

Desired abilities for information security professionals

Understanding of how organisations are structured and operated

Recognising that InfoSec is a management task that cannot be handled with technology alone

Work well with people and communicate effectively using both written and verbal communication

Acknowledging the role of policy in guiding security efforts

Qualifications and Requirements (cont’d.)

Desired abilities for information security professionals (cont’d.)

Understanding of the essential role of information security education and training

Helps make users part of the solution, rather than part of the problem

Perceive the threats facing an organisation

Understand how these threats can become attacks, and safeguard the organisation

Understanding how to apply technical controls

Qualifications and Requirements (cont.)

Desired abilities for information security professionals (cont’d.)

Demonstrated familiarity with the mainstream information technologies

Including Disk Operating System (DOS), Windows, Linux, and UNIX

Understanding of IT and InfoSec terminology and concepts

Entering the Information Security Profession

Many InfoSec professionals enter the field

After careers in law enforcement or the military

Or careers in other IT areas, such as networking, programming, database administration, or systems administration

Organisations can foster greater professionalism

By clearly defining their expectations and establishing explicit position descriptions

Figure 11-1 Information security career paths

Source: Course Technology/Cengage Learning

Entering the Information Security Profession (cont’d.)

Information Security Positions

Types of Information security positions

Definers provide the policies, guidelines, and standards

People who consult, do risk assessment and develop the product and technical architectures

Senior people with a broad knowledge, but not a lot of depth

Builders are the real techies, who create and install security solutions

Those that administer the security tools, the security monitoring function, and the people who continuously improve the processes

Where all the day-to-day, hard work is done

Figure 11-2 Possible information security positions and reporting relationships

Source: Course Technology/Cengage Learning

Information Security Positions (cont’d.)

Chief Information Security Officer (CISO)

Typically considered the top information security officer in the organisation

Usually not an executive-level position

Frequently reports to the CIO

Business managers first and technologists second

They must be conversant in all areas of information security

Including technology, planning, and policy

Information Security Positions (cont’d.)

Certified Information Systems Security Professional (CISSP)

Most common qualification for the CISO

A graduate degree in criminal justice, business, technology, or another related field is usually required for the CISO

CISO candidates should have experience in security management, planning, policy, and budgets

Information Security Positions (cont’d.)

Security Manager

It is not uncommon for a security manager to have a CISSP

Should have experience in traditional business activities, including budgeting, project management, personnel management, hiring and firing

Must be able to draft middle- and lower-level policies, as well as standards and guidelines

Several types exist, and the people tend to be much more specialised than CISOs

Information Security Positions (cont’d.)

Security technicians

Technically qualified individuals who configure firewalls and IDSs, implement security software, diagnose and troubleshoot problems, and coordinate with systems and network administrators to ensure that security technology is properly implemented

Typical information security entry-level position, albeit a technical one

Information Security Positions (cont’d.)

Technical qualifications and position requirements for a security technician vary

Organisations typically prefer expert, certified, proficient technicians

Job requirements usually includes some level of experience with a particular hardware and software package

Experience using the technology is usually required

Information Security Professional Credentials

Many organisations rely on professional certifications

To ascertain the level of proficiency possessed by any given candidate

Many certification programs are relatively new

Their precise value is not fully understood by most hiring organisations

Certifying bodies work to educate their constituent communities on the value and qualifications of their certificate recipients

Information Security Professional Credentials (cont’d.)

Employers struggle to match certifications to position requirements

Potential information security workers try to determine which certification programs will help them in the job market

(ISC)2 Certifications

Certified Information Systems Security Professional

One of the most prestigious certifications

Recognises mastery of domains of an internationally recognised InfoSec common body of knowledge

Access Control

Application Security

Business Continuity and Disaster Recovery Planning

Cryptography

(ISC)2 Certifications (cont’d.)

Certified Information Systems Security Professional (cont’d.)

Recognises mastery of domains of an internationally recognised InfoSec common body of knowledge (cont’d.)

Information Security and Risk Management

Legal, Regulations, Compliance and Investigations

Operations Security

Physical (Environmental) Security

Security Architecture and Design

Telecommunications and Network Security

Systems Security Certified Practitioner

More applicable to an entry-level security manager than a technician

Most questions focus on the operational InfoSec

Focuses on practices, roles, and responsibilities covering seven domains:

Access controls

Analysis and monitoring

Cryptography

Malicious code

Networks and Telecommunications

Risk, Response and Recovery

Security Operations and Administration

(ISC)2 Certifications (cont’d.)

ISSAP®: Information Systems Security Architecture Professional

Access control systems and methodology

Telecommunications and network security

Cryptography

Requirements analysis and security standards, guidelines, criteria

Technology-related business continuity planning and disaster recovery planning

Physical security integration

(ISC)2 Certifications (cont’d.)

ISSEP®: Information Systems Security Engineering Professional

Systems security engineering

Certification and accreditation

Technical management

U.S. government information assurance regulations

ISSMP®: Information Systems Security Management Professional

Business continuity planning (BCP) and disaster recovery planning (DRP) and continuity of operations

Planning (COOP) enterprise security management practices

Enterprise-wide system development security

Law, investigations, forensics, and ethics

Overseeing compliance of operations security

(ISC)2 Certifications (cont’d.)

ISACA Certifications

Certified Information Systems Auditor

A certification of the Information Systems Audit and Control Association and Foundation

Appropriate for auditing, networking, and security professionals

Exam covers:

IS audit process (10 percent)

IT governance (15 percent)

Systems and infrastructure life cycle (16 percent)

IT service delivery and support (14 percent)

Protection of information assets (31 percent)

Business continuity and disaster recovery (14 percent)

Certified Information Security Manager (CISM)

Geared toward experienced information security managers

Assures executive management that a candidate has the required background knowledge needed for effective security management and consulting

Exam covers:

Information security governance (23 percent)

Information risk management (22 percent)

Information security program development (17 percent)

Information security program management (24 percent)

Incident management and response (14 percent)

ISACA Certifications (cont’d.)

Global Information Assurance Certification (GIAC)

System Administration, Networking and Security Organisation (SANS)

Developed a series of technical security certifications known as the GIAC

GIAC family of certifications can be pursued independently

Or combined to earn a comprehensive certification called GIAC Security Engineer (GSE), at a silver, gold or platinum level

Other SANS certifications:

Security Professional (GISP)

GIAC Security Leadership Certification (GSLC)

GIAC Certifications

Information security fundamentals (GISF)

Security essentials certification (GSEC)

Certified firewall analyst (GCFW)

Certified intrusion analyst (GCIA)

Certified incident handler (GCIH)

Certified Windows security administrator (GCWN)

Certified UNIX security administrator (GCUX)

Certified forensics analyst (GCFA)

Securing Oracle Certification (GSOC)

Intrusion Prevention (GIPS)

Cutting Edge Hacking Techniques (GHTQ)

Web Application Security (GWAS)

Reverse Engineering Malware (GREM)

Assessing Wireless Networks (GAWN)

Global Information Assurance Certification (cont’d)

Security+

The CompTIA Security+ certification

Tests for security knowledge mastery

Must have two years of on-the-job networking experience with emphasis on security

Exam covers industry-wide topics including:

Systems security (21%)

Network infrastructure (20%)

Access control (17%)

Assessments & audits (15%)

Cryptography (15%)

Organisational Security (12%)

Certified Computer Examiner (CCE)

A computer forensics certification

Provided by the International Society of Forensic Computer Examiners

Topics include

Acquisition, marking, handling, and storage of evidence procedures

Chain of custody

Essential “core” forensic computer examination procedures

“Rules of evidence” for computer examinations

Certified Computer Examiner (cont’d.)

A computer forensics certification (cont’d.)

Topics include: (cont’d.)

Basic PC hardware construction and theory

Very basic networking theory

Basic data recovery techniques

Authenticating MS Word documents and accessing and interpreting metadata

Basic optical recording processes and accessing data on optical media

Basic password recovery techniques

Basic Internet issues

Certification Costs

Preferred certifications can be expensive

Most experienced professionals find it difficult to do well on the exams without at least some review

Certifications recognise experts in their respective fields

The cost of certification deters those who might otherwise take the exam just to see if they can pass

Certification Costs (cont’d.)

Most examinations:

Require between two and three years of work experience

They are often structured to reward candidates who have significant hands-on experience

Figure 11-3 Preparing for security certification

Certification Costs (cont’d.)

Source: Course Technology/Cengage Learning

Employment Policies and Practices

Management should integrate solid information security concepts

Across all of the organisation’s employment policies and practices

Including information security responsibilities into every employee’s job description and subsequent performance reviews

Can make an entire organisation take information security more seriously

Hiring

From an information security perspective, hiring employees is laden with potential security pitfalls

Information security considerations should become part of the hiring process

Job descriptions

Provide complete job descriptions when advertising open positions

Omit the elements of the job description that describe access privileges

Hiring (cont’d.)

Interviews

Information security should advise human resources

Limit the information provided to the candidates on the access rights of the position

When an interview includes a site visit

Tour should avoid secure and restricted sites, because the visitor could observe enough information about the operations or information security functions to represent a potential threat to the organisation

Hiring (cont’d.)

New hire orientation

New employees should receive an extensive information security briefing

As part of their orientation

On-the-job security training

Conduct periodic SETA activities

Keeps security at the forefront of employees’ minds and minimises employee mistakes

Security checks

Conduct a background check before extending an offer

Hiring (cont’d.)

Common background checks

Identity checks: personal identity validation

Education and credential checks: institutions attended, degrees and certifications earned, and certification status

Previous employment verification: where candidates worked, why they left, what they did, and for how long

Reference checks: validity of references and integrity of reference sources

Hiring (cont’d.)

Common background checks (cont’d.)

Worker’s compensation history: claims

Motor vehicle records: driving records, suspensions, and other items noted in the applicant’s public record

Drug history: drug screening and drug usage, past and present

Medical history: current and previous medical conditions, usually associated with physical capability to perform the work in the specified position

Hiring (cont’d.)

Common background checks (cont’d.)

Credit history: credit problems, financial problems, and bankruptcy

Civil court history: involvement as the plaintiff or defendant in civil suits

Criminal court history: criminal background, arrests, convictions, and time served

Contracts and Employment

Once a candidate has accepted a job offer

The employment contract becomes an important security instrument

It is important to have these contracts and agreements in place at the time of the hire

Security as Part of Performance Evaluation

Organisations should incorporate information security components into employee performance evaluations

To heighten information security awareness and change workplace behavior,

Employees pay close attention to job performance evaluations

Including information security tasks in them will motivate employees to take more care when performing these tasks

Termination Issues

When an employee leaves an organisation, the following tasks must be performed:

Disable access to the organisation’s systems

Return all removable media

Hard drives must be secured

File cabinet and door locks must be changed

Keycard access must be revoked

Personal effects must be removed

Escort the former employee from the premises

Termination Issues (cont’d.)

Many organisations conduct an exit interview

To remind the employee of any contractual obligations

Such as nondisclosure agreements

To obtain feedback on the employee’s tenure in the organisation

Methods for handling employee outprocessing: hostile and friendly

Termination Issues (cont’d.)

Hostile departure

Security cuts off all logical and keycard access before the employee is terminated

The employee reports for work, and is escorted into the supervisor’s office to receive the bad news

The individual is then escorted from the workplace and informed that his or her personal property will be forwarded, or is escorted to his or her office, cubicle, or personal area to collect personal effects

Termination Issues (cont’d.)

Hostile departure (cont’d.)

Once personal property has been gathered, the employee is asked to surrender all keys, keycards, and other organisational identification and access devices, PDAs, pagers, cell phones, and all remaining company property

Then escorted from the building

Termination Issues (cont’d.)

Friendly departure

The employee may have tendered notice well in advance of the actual departure date

Difficult for security to maintain positive control over the employee’s access and information usage

Employee accounts are usually allowed to continue, with a new expiration date

The employee can come and go at will

Usually collects any belongings and leaves without escort, dropping off all organisational property before departing

Termination Issues (cont’d.)

In either circumstance:

Offices and information used by departing employees must be inventoried, their files stored or destroyed, and all property returned to organisational stores

Departing employees may have collected and taken home information or assets that could be valuable in their future jobs

Scrutinising system logs may allow an organisation to determine whether a breach of policy or a loss of information has occurred

Personnel Security Practices

Methods of monitoring and controlling employees

To minimise their opportunities to misuse information

Separation of duties is used to make it difficult for an individual to violate information security and breach the confidentiality, integrity, or availability of information

Two-man control requires that two individuals review and approve each other’s work before the task is considered complete

Figure 11-5 Personnel security controls

Personnel Security Practices (cont’d.)

Source: Course Technology/Cengage Learning

Personnel Security Practices (cont’d.)

Methods of monitoring and controlling employees (cont’d.)

Job rotation is another control used to prevent personnel from misusing information assets

Requires that every employee be able to perform the work of at least one other employee

Task rotation

All critical tasks can be performed by multiple individuals

Personnel Security Practices (cont’d.)

Job rotation and task rotation ensure

No one employee is performing actions that cannot be knowledgeably reviewed by another employee

Each employee should be required to take mandatory vacation

This policy gives the organisation a chance to perform a detailed review of everyone’s work

Personnel Security Practices (cont’d.)

Limiting access to information

Minimises opportunities for employee misuse

Employees should be able to access only the information they need, and only for the period required to perform their tasks

This idea is referred to as the principle of least privilege

Ensures that no unnecessary access to data occurs

If all employees can access all the organisation’s data all the time, it is almost certain that abuses will occur

Security of Personnel and Personal Data

Organisations are required by law to protect sensitive or personal employee information

Examples: employee addresses, phone numbers, Social Security numbers, medical conditions, and names and addresses of family members

Responsibility extends to customers, patients, and anyone with whom the organisation has business relationships

Security of Personnel and Personal Data (cont’d.)

Personnel data is no different than other data that information security is expected to protect

But more regulations cover its protection

Information security procedures should ensure that this data receives at least the same level of protection as the other important data in the organisation

Security Considerations for Nonemployees

Many individuals who are not employees often have access to sensitive organisational information

Relationships with individuals in this category should be carefully managed to prevent threats to information assets from materialising

Temporary workers

Not employed by the organisation for which they’re working

Temporary workers (cont’d.)

May not be subject to the contractual obligations or policies that govern employees

Unless specified in its contract with the organisation, the temporary agency may not be liable for losses caused by its workers

Access to information should be limited to what is necessary to perform their duties

Security Considerations for Nonemployees (cont’d.)

Contract employees

Professional contractors may require access to all areas of the organisation to do their jobs

Service contractors usually need access only to specific facilities

Should not be allowed to wander freely

In a secure facility, all service contractors are escorted from room to room, and into and out of the facility

Security Considerations for Nonemployees (cont’d.)

Regulations for service agreements or contracts:

Require 24 to 48 hours’ notice of a maintenance visit

Require all on-site personnel to undergo background checks

Require advance notice for cancellation or rescheduling of a maintenance visit

Security Considerations for Nonemployees (cont’d.)

Consultants

Have their own security requirements and contractual obligations

Should be handled like contract employees

Special requirements, such as information or facility access requirements, should be integrated into the contract before facility access is granted

Protecting your information may not be their number one priority

Apply the principle of least privilege

Security Considerations for Nonemployees (cont’d.)

Business partners

Strategic alliances with other organisations to exchange information, integrate systems, or enjoy some other mutual advantage

A prior agreement must specify the levels of exposure that both organisations are willing to tolerate

Security and technology consultants must be prescreened, escorted, and subjected to nondisclosure agreements

Security Considerations for Nonemployees (cont’d.)

Business partners (cont’d.)

If the strategic partnership evolves into an integration of the systems of both companies

Competing groups may be provided with information that neither parent organisation expected

Nondisclosure agreements are an important part of any such collaborative effort

Security level of both systems must be examined before any physical integration takes place

A vulnerability on one system becomes vulnerability for all linked systems

Security Considerations for Nonemployees (cont’d.)

Summary

Introduction

Staffing the security function

Information security professional credentials

Employment policies and practices