Security and personnel bp11521


Published on

Information security

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Security and personnel bp11521

  1. 1. Security And Personnel
  2. 2. Contents:  Introduction  The security function within an Organization’s Structure  Staffing the security function  Qualification and Requirements  Entry into security profession  Information Security Positions  Chief information security officer  Security manager  Security technician  Internal security consultant
  3. 3. Introduction  Each organization should examine the options possible for staffing the information security function.  When implementing security in an organization, there are many human resources issues that must be addressed:  The entire organization must decide how to position and name the security function within an organization.  The information security community of interest must plan for proper staffing for the information security function.  The IT community of interest must understand the impact of information security  The general management community of interest must work with the information security professionals to integrate solid information security concepts
  4. 4. The Security Function within an organization’s structure The security function can be placed within the: IT function, as a peer of other functions such as networks, applications development, and the help desk Physical security function, as a peer of physical security or protective services. Administrative services function, as a peer of human resources or purchasing Insurance and risk management function Legal development
  5. 5. Staffing the security function  Selecting information security personnel is based on a number of criteria.  Some of these factors are within the control of the organization and others some are not.  Some of the services are  Qualifications and requirements  Entry into the security profession  Information security positions
  6. 6. Qualifications and Requirements:  A number of factors influence an organization’s hiring decisions.  Because information security has only recently emerged as a separate discipline, the hiring decisions in this field are further complicated by a lack of understanding among organizations about what qualifications a potential information security hire should exhibit.  Currently in many organizations, information security teams lack established roles and responsibilities.  Establishing better hiring practices in an organization requires the following:  The general management community of interest should learn more about the skills and qualifications for both information security positions and those IT positions that impact information security.
  7. 7.  Upper management should learn more about the budgetary needs of the information security function and the positions within it. This will enable management to make sound fiscal decisions for both the information security function and the IT functions that carry out many of the information security initiatives.  The IT and general management communities should grant appropriate levels of influence and prestige to the information security function, and especially to the role of chief information security officer.  When hiring information security professionals, organizations frequently look for individuals who understand the following:  How an organization operates at all levels  That information security is usually a management problem and is seldom an exclusively technical problem
  8. 8.  How to work with people and collaborate with end users, and the importance of strong communications and writing skills  The role of policy in guiding security efforts, and the role of education and training in making employees and other authorized users part of the solution, rather than part of the problem  Most mainstream IT technologies (not necessarily as experts, but as generalists)  The terminology of IT and information security  The threats facing an organization and how these threats can become attacks  How to protect an organization’s assets from information security attacks  How business solutions (including technology-based solutions) can be applied to solve specific information security problems
  9. 9. Entry into the Information Security Profession  Many information security professionals enter the field through one of two career paths:  ex-law enforcement and military personnel involved in national security and cyber-security tasks, who move from those  environments into business-oriented information security; and technical professionals—networking experts, programmers, database administrators, and systems administrators—who find themselves working on information security applications and processes more often than on traditional IT assignments.  In recent years, a third (perhaps in some sense more traditional) career path has developed: college students who select and tailor their degree programs to prepare for work in the field of information security.
  10. 10. Information Security Positions  The use of standard job descriptions can increase the degree of professionalism in the information security field as well as improve the consistency of roles and responsibilities among organizations.  Organizations anticipating a revision of these roles and responsibilities can consult Charles Cresson Wood’s book Information Security Roles and Responsibilities Made Easy, which offers a set of model job descriptions for information security positions.  The book also identifies the responsibilities and duties of the members of the IT staff whose work involves information security.
  11. 11. Position in information security Chief Security Officer Information Security Consultant Information Security Manager Information Security Administrator Information Security Technician / Engineer Physical Security Manager Physical Security Officer
  12. 12. Chief Information Security Officer (CISO or CSO)  This is typically the top information security officer in the organization.  In many cases, the CISO is the major definer or architect of the information security program.  The CISO performs the following functions:  Manages the overall information security program for the organization  Drafts or approves information security policies  Works with the CIO on strategic plans, develops tactical plans, and works with security managers on operational plans  Develops information security budgets based on available funding  Sets priorities for the purchase and implementation of information security projects and technology  Makes decisions or recommendations on the recruiting, hiring, and firing of security staff  Acts as the spokesperson for the information security team
  13. 13. Security Manager  Security managers are accountable for the day-to-day operation of the information security program.  They accomplish objectives identified by the CISO and resolve issues identified by technicians.  Management of technology requires an understanding of the technology administered, but does not necessarily require proficiency in the technology’s configuration, operation, and fault resolution.
  14. 14. Security Technician  Security technicians are the technically qualified individuals tasked to configure firewalls, deploy IDPSs, implement security software, diagnose and troubleshoot problems, and coordinate with systems and network administrators to ensure that an organization’s security technology is properly implemented.  The position of security technician is often entry level, but to be hired in this role, candidates must possess some technical skills.  This often poses a dilemma for applicants as many seeking to enter a new field find it is difficult to get a job without experience—which they can only attain by getting a job.
  15. 15. From internet…   Providing services for securing the business information. • • Personnel Security Standard Purpose This standard is intended to ensure security controls and related procedures are implemented to protect the privacy, security and integrity of VCCS information technology resources against unauthorized or improper use, and to prevent and detect attempts to compromise information technology resources for any employee who is separated, transferred, or promoted.
  16. 16.  Cypher security Personnel security Physical security