Security and Personnel Chapter 11

1
Security and Personnel Chapter 11

• I think we need to be paranoid optimists.
• -- Robert J. Eaton

2
Learning Objectives

• Upon completion of this chapter you should be
  able to
• Understand where and how the information security
  function is positioned within organizations.
• Understand the issues and concerns about staffing
  the information security function.
• Know about the credentials that professionals in
  the information security field can acquire.
• Recognize how an organizations employment
  policies and practices can support the
  information security effort.
• Understand the special security precautions
  necessary for nonemployees.
• Recognize the need for the separation of duties.
• Understand the special requirements needed for
  the privacy of personnel data.

3
Security Function Within an Organizations
Structure

• The security function can be placed within the
• IT function
• Physical security function
• Administrative services function
• Insurance and risk management function
• Legal department
• The challenge is to design a structure that
  balances the competing needs of the communities
  of interest
• Organizations compromise to balance needs of
  enforcement with needs for education, training,
  awareness, and customer service

4
Staffing the Security Function

• Selecting personnel is based on many criteria,
  including supply and demand
• Many professionals enter the security market by
  gaining skills, experience, and credentials
• At the present time the information security
  industry is in a period of high demand

5
Qualifications and Requirements

• Issues in information security hiring
• Management should learn more about position
  requirements and qualifications
• Upper management should also learn more about the
  budgetary needs of the infosec function
• Management needs to learn more about the level of
  influence and prestige the information security
  function should be given in order to be effective
• Organizations typically look for a technically
  qualified information security generalist
• In the information security discipline,
  over-specialization is often a risk and it is
  important to balance technical skills with
  general information security knowledge

6
Hiring Criteria

• When hiring infosec professionals, organizations
  frequently look for individuals who understand
• How an organization operates at all levels
• Information security is usually a management
  problem and is seldom an exclusively technical
  problem
• People and have strong communications and writing
  skills
• The roles of policy and education and training
• The threats and attacks facing an organization
• How to protect the organization from attacks
• How business solutions can be applied to solve
  specific information security problems
• Many of the most common mainstream IT
  technologies as generalists
• The terminology of IT and information security

7
Entry into the Security Profession

• Many information security professionals enter the
  field through one of two career paths
• ex-law enforcement and military personnel
• technical professionals working on security
  applications and processes
• Today, students are selecting and tailoring
  degree programs to prepare for work in security
• Organizations can foster greater professionalism
  in the information security discipline through
  clearly defined expectations and position
  descriptions

8
Information Security Positions

• The use of standard job descriptions can increase
  the degree of professionalism in the information
  security field as well as improve the consistency
  of roles and responsibilities between
  organizations
• Organizations that are revising the roles and
  responsibilities of InfoSec staff can consult
  references

9
Figure 11-2
10
InfoSec Staffing Help Wanted

• Definers provide the policies, guidelines, and
  standards
• Builders are the real techies, who create and
  install security solutions
• Operators run and administer the security tools,
  perform security monitoring, and continuously
  improve processes

11
Chief Information Security Officer

• The top information security position in the
  organization, not usually an executive and
  frequently reports to the Chief Information
  Officer
• The CISO performs the following functions
• Manages the overall InfoSec program
• Drafts or approves information security policies
• Works with the CIO on strategic plans, develops
  tactical plans, and works with security managers
  on operational plans
• Develops InfoSec budgets based on funding
• Sets priorities for InfoSec projects technology
• Makes decisions in recruiting, hiring, and firing
  of security staff
• Acts as the spokesperson for the security team

12
Chief Information Security Officer

• Qualifications and position requirements
• Often a CISSP
• A graduate degree
• Experience as a security manager

13
Security Manager

• Accountable for the day-to-day operation of the
  information security program
• Accomplishes objectives as identified by the CISO
  
• Qualifications and position requirements
• It is not uncommon to have a CISSP
• Traditionally, managers earned the CISSP while
  technical professionals earned the Global
  Information Assurance Certification
• Must have the ability to draft middle- and
  lower-level policies as well as standards and
  guidelines
• They must have experience in budgeting, project
  management, and hiring and firing
• They must also be able to manage technicians,
  both in the assignment of tasks and the
  monitoring of activities

14
Security Technician

• Technically qualified individuals tasked to
  configure security hardware and software
• Tend to be specialized, focusing on one major
  security technology and further specializing in
  one software or hardware solution
• Qualifications and position requirements
• Organizations prefer the expert, certified,
  proficient technician
• Job descriptions cover some level of experience
  with a particular hardware and software package
• Sometimes familiarity with a technology secures
  an applicant an interview however, experience in
  using the technology is usually required

15
Internal Security Consultant

• Typically an expert in some aspect of information
  security
• Usually preferable to involve a formal security
  services company, it is not unusual to find a
  qualified individual consultant
• Must be highly proficient in the managerial
  aspects of security
• Information security consultants usually enter
  the field after working as experts in the
  discipline and often have experience as a
  security manager or CISO

16
Credentials of Information Security Professionals

• Many organizations seek recognizable
  certifications
• Most existing certifications are relatively new
• Certifications
• CISSP and SSCP
• Global Information Assurance Certification
• Security Certified Professional
• T.I.C.S.A. and T.I.C.S.E.
• Security
• Certified Information Systems Auditor
• Certified Information Systems Forensics
  Investigator

17
Cost of Being Certified

• Certifications cost money, and the better
  certifications can be quite expensive - cost for
  training can also be significant
• Even an experienced professional finds it
  difficult to sit for one of these exams without
  some preparation
• Many candidates teach themselves through trade
  press books others prefer the structure of formal
  training
• Before attempting a certification exam, do your
  homework and review the exam criteria, its
  purpose and requirements in order to ensure that
  the time and energy spent pursuing the
  certification are well spent

18
Figure 11-3
19
Advice for Information Security Professionals

• As a future information security professional,
  you can benefit from suggestions on entering the
  information security job market
• Always remember business first, technology last
• Its all about the information
• Be heard and not seen
• Know more than you say, be more skillful than you
  let on
• Speak to users, not at them
• Your education is never complete

20
Employment Policies and Practices

• The general management community of interest
  should integrate solid information security
  concepts into the organizations employment
  policies and practices
• If the organization can include security as a
  documented part of every employees job
  description, then perhaps information security
  will be taken more seriously

21
Hiring and Termination Issues

• From an information security perspective, the
  hiring of employees is a responsibility laden
  with potential security pitfalls
• The CISO and information security manager should
  establish a dialogue with the Human Resources
  department to provide an information security
  viewpoint for hiring personnel

22
Figure 11-4
23
Job Descriptions

• Inserting information security perspectives into
  the hiring process begins with reviewing and
  updating all job descriptions
• To prevent people from applying for positions
  based solely on access to sensitive information,
  the organization should avoid revealing access
  privileges to prospective employees when
  advertising positions

24
Interviews

• An opening within Information Security opens up a
  unique opportunity for the security manager to
  educate HR on the certifications, experience, and
  qualifications of a good candidate
• Information security should advise HR to limit
  information provided to the candidate on the
  responsibilities and access rights the new hire
  would have
• For those organizations that include on-site
  visits as part of interviews, it is important to
  use caution when showing a candidate around the
  facility

25
Background Checks

• A background check is an investigation into a
  candidates past
• There are regulations that govern such
  investigations
• Background checks differ in the level of detail
  and depth with which the candidate is examined
• Identity checks
• Education and credential checks
• Previous employment verification
• References checks
• Workers Compensation history
• Motor vehicle records
• Drug history
• Credit history
• Civil court history
• Criminal court history

26
Fair Credit Reporting Act

• Federal regulations exist in the use of personal
  information in employment practices, including
  the Fair Credit Reporting Act (FCRA)
• Background reports contain information on a job
  candidates credit history, employment history,
  and other personal data
• FCRA prohibits employers from obtaining these
  reports unless the candidate is informed

27
Employment Contracts

• Once a candidate has accepted the job offer, the
  employment contract becomes an important security
  instrument
• Many security policies require an employee to
  agree in writing
• If an existing employee refuses to sign these
  contracts, the security personnel are placed in a
  difficult situation
• New employees, however may find policies
  classified as employment contingent upon
  agreement, whereby the employee is not offered
  the position unless he/she agrees to the binding
  organizational policies

28
New Hire Orientation

• As new employees are introduced into the
  organizations culture and workflow, they should
  receive an extensive information security
  briefing on all major policies, procedures, and
  requirements for information security
• The levels of authorized access are outlined, and
  training provided on the secure use of
  information systems
• By the time employees are ready to report to
  their positions, they should be thoroughly
  briefed, and ready to perform their duties
  securely

29
On-the-Job Security Training

• As part of the new hires ongoing job
  orientation, and as part of every employees
  security responsibilities, the organization
  should conduct periodic security awareness
  training
• Keeping security at the forefront of employees
  minds and minimizing employee mistakes is an
  important part of the information security
  awareness mission
• Formal external and informal internal seminars
  also increase the level of security awareness for
  all employees, especially security employees

30
Performance Evaluation

• To heighten information security awareness and
  change workplace behavior, organizations should
  incorporate information security components into
  employee performance evaluations
• Employees pay close attention to job performance
  evaluations, and if the evaluations include
  information security tasks, employees are more
  motivated to perform these tasks at a
  satisfactory level

31
Termination

• When an employee leaves an organization, there
  are a number of security-related issues
• The key is protection of all information to which
  the employee had access
• When an employee leaves, several tasks must be
  performed
• Access to the organizations systems disabled
• Removable media returned
• Hard drives secured
• File cabinet locks changed
• Office door lock changed
• Keycard access revoked
• Personal effects removed from the organizations
  premises
• Once cleared, they should be escorted from the
  premises
• In addition many organizations use an exit
  interview

32
Hostile Departure

• Hostile departure (nonvoluntary)- termination,
  downsizing, lay off, or quitting
• Before the employee is aware all logical and
  keycard access is terminated
• As soon as the employee reports for work, he is
  escorted into his supervisors office
• Upon receiving notice, he is escorted to his
  area, and allowed to collect personal belongings
• Employee asked to surrender all keys, keycards,
  and other company property
• They are then escorted out of the building

33
Friendly Departure

• Friendly departure (voluntary) for retirement,
  promotion, or relocation
• employee may have tendered notice well in advance
  of the actual departure date
• actually makes it more difficult for security to
  maintain positive control over the employees
  access and information usage
• employee access is usually allowed to continue
  with a new expiration date
• employees come and go at will and collect their
  own belongings, and leave on their own
• They are asked to drop off all organizational
  property on their way out the door

34
Termination

• In all circumstance, the offices and information
  used by the employee must be inventoried, their
  files stored or destroyed, and all property
  returned to organizational stores
• It is possible that the employees foresee
  departure well in advance, and begin collecting
  organizational information or anything that could
  be valuable in their future employment
• Only by scrutinizing systems logs after the
  employee has departed, and sorting out authorized
  actions from systems misuse or information theft
  can the organization determine if there has been
  a breach of policy or a loss of information
• In the event that information is illegally copied
  or stolen, the action should be declared an
  incident and the appropriate policy followed

35
Security Considerations For Nonemployees

• A number of individuals who are not subject to
  rigorous screening, contractual obligations, and
  eventual secured termination often have access to
  sensitive organizational information
• Relationships with individuals in this category
  should be carefully managed to prevent a possible
  information leak or theft

36
Temporary Employees

• Temporary employees are hired by the organization
  to serve in a temporary position or to supplement
  the existing workforce
• As they are not employed by the host
  organization, they are often not subject to the
  contractual obligations or general policies and
  if these individuals breach a policy or cause a
  problem actions are limited
• From a security standpoint, access to information
  for these individuals should be limited to that
  necessary to perform their duties
• Ensure that the temps supervisor restricts the
  information to which they have access

37
Contract Employees

• Contract employees are typically hired to perform
  specific services for the organization
• The host company often makes a contract with a
  parent organization rather than with an
  individual for a particular task
• In a secure facility, all contract employees are
  escorted from room to room, as well as into and
  out of the facility
• There is also the need for certain restrictions
  or requirements to be negotiated into the
  contract agreements when they are activated

38
Consultants

• Consultants should be handled like contract
  employees, with special requirements for
  information or facility access requirements
  integrated into the contract before these
  individual are allowed outside the conference
  room
• Security and technology consultants especially
  must be prescreened, escorted, and subjected to
  nondisclosure agreements to protect the
  organization
• Just because you pay a security consultant,
  doesnt make the protection of your information
  his or her number one priority

39
Business Partners

• Businesses find themselves in strategic alliances
  with other organizations, desiring to exchange
  information, integrate systems, or simply to
  discuss operations for mutual advantage
• There must be a meticulous, deliberate process of
  determining what information is to be exchanged,
  in what format, and to whom
• Nondisclosure agreements and the level of
  security of both systems must be examined before
  any physical integration takes place, as system
  connection means that the vulnerability of one
  system is the vulnerability of all

40
Separation of Duties and Collusion

• The completion of a significant task that
  involves sensitive information should require two
  people using the check and balance method to
  avoid collusion
• A similar concept is that of two-man control,
  when two individuals review and approve each
  others work before the task is categorized as
  finished
• Another control used is job rotation where
  employees know each others job skills
• A mandatory vacation, of at least one week,
  provides the ability to audit the work
• Need-to-know and least privilege ensures that no
  unnecessary access to data occurs, and that only
  those individuals who must access the data do so

41
Figure 11-6
42
Privacy and the Security of Personnel Data

• Organizations are required by law to protect
  employee information that is sensitive or
  personal
• This includes employee addresses, phone numbers,
  social security numbers, medical conditions, and
  even names and addresses of family and relatives
• This responsibility also extends to customers,
  patients, and business relationships