Security and personnel

TransformingLives. InventingtheFuture. www.iit.edu
I ELLINOIS T UINS TI T
OF TECHNOLOGY
ITM 578 1
Security and Personnel
Ray Trygstad
ITM 578 Section 071
Summer 2003
Master of Information Technology & Management Program
CenterforProfessional Development
Slides based on Whitman, M. and Mattord, H., Principles of InformationSecurity; Thomson Course Technology 2003

ITM 578 2
ILLINOIS INSTITUTE OF TECHNOLOGY
Learning Objectives:
Upon completion of this lesson students
should be able to:
– Describe where and how the information
security function is positioned within
organizations
– Discuss issues and concerns about staffing
the information security function
– Describe credentials that professionals in the
information security field can acquire

ITM 578 3
Learning Objectives:
Upon completion of this lesson students
should be able to:
– Recognize how an organization’s
employment policies and practices can
support the information security effort
– Explain special security precautions
necessary for nonemployees
– Recognize the need for the separation of
duties.
– Describe special requirements needed for
the privacy of personnel data

ITM 578 4
Introduction
 When implementing information security
many human resource issues must be
addressed
1. How to position and name the security function
2. Planning of proper staffing for the information
security function.
3. Understand the impact of information security
across every role in the IT function & adjust job
descriptions and documented practices
accordingly
4. General management must work with IS
professionals to integrate solid information
security concepts into organizational personnel
management practices

ITM 578 5
Introduction
 Understanding impact of change to
personnel management practices of the
organization is important in success of
implementation
 Employees often feel threatened when an
organization is creating or enhancing an
overall information security program
 Quelling doubts and reassuring employees is
a fundamental part of implementation
 It’s important to supply resources to gather
and respond quickly to employee feedback

ITM 578 6
Security Function Within an Organization’s Structure
The security function can be placed
within the:
– IT function
– Physical security function
– Administrative services function
– Insurance and risk management function
– Legal department

ITM 578 7
Security Function Within an Organization’s Structure
The challenge is to design a structure
that balances the competing needs of
the communities of interest
Organizations compromise to balance
needs of enforcement with needs for
education, training, awareness, and
customer service

ITM 578 8
Audit Function of IT Security
Since Information Security has an
important audit function, some feel it
should not be in the IT organization
This is based on the principle that
audit organizations should be
external to the area audited

ITM 578 9
Staffing the Security Function
Selecting information security
personnel is based on many criteria,
including supply and demand
Many professionals enter the security
market by gaining skills, experience,
and credentials to qualify as new
supply

ITM 578 10
Staffing The Security Function
Until the new supply reaches the demand
level, organizations must pay higher costs
associated with the current limited
supply
When supply reaches a level at or above
demand, organizations hiring these skills
can become selective so the cost they are
willing to pay drops
Currently the information security
industry is in a period of high demand

ITM 578 11
Qualifications and Requirements
Issues in information security hiring:
– Management should learn more about
position requirements and qualifications
– Upper management should also learn
more about the budgetary needs of the
information security function
– Management needs to learn more about
the level of influence and prestige the
information security function should be
given in order to be effective

ITM 578 12
Qualifications and Requirements
Organizations typically look for a
technically-qualified information
security generalist
In the information security discipline,
over-specialization is often a risk and
it is important to balance technical
skills with general information
security knowledge

ITM 578 13
Hiring Criteria
When hiring infosec professionals,
organizations frequently look for
individuals who understand:
– How an organization operates at all levels
– Information security is usually a management
problem and is seldom an exclusively technical
problem
– People, and have strong communications and
writing skills
– The roles of policy and education and training

ITM 578 14
More Hiring Criteria
When hiring infosec professionals,
organizations frequently look for
individuals who understand:
– The threats and attacks facing an organization
– How to protect the organization from attacks
– How business solutions can be applied to solve
specific information security problems
– Many of the most common mainstream IT
technologies as generalists
– The terminology of IT and information security

ITM 578 15
Entry into the Security Profession
Many information security
professionals enter the field through
one of two career paths:
– ex-law enforcement and military
personnel
– technical professionals working on
security applications and processes
Today, students are selecting and
tailoring degree programs to prepare
for work in security

ITM 578 16
Military and
law enforcement
Securit
y
Security education
Technology
Career Paths to InfoSec
Positions
FIGURE 11-1 Career Paths to Information Security Positions

ITM 578 17
Entry into the Security Profession
 Current perception is that a security
professional must first be a proven
professional in another field of IT
 IT professionals moving into information
security often focus on the technology to the
exclusion of general information security
issues
 Organizations can foster greater
professionalism in the field through clearly
defined expectations and position
descriptions

ITM 578 18
Information Security Positions
The use of standard job descriptions
can increase the degree of
professionalism in the information
security field as well as improve the
consistency of roles and
responsibilities between organizations
Organizations that are revising the
roles and responsibilities of InfoSec
staff can consult references

ITM 578 19
Positions in Information Security
FIGURE 11-2 Positions in Information Security
Chief InformationChief Information
Security Officer CISOSecurity Officer CISO
SecuritySecurity
ConsultantConsultant
SecuritySecurity
AdministratorAdministrator
SecuritySecurity
ManagerManager
SecuritySecurity
OfficerOfficer
SecuritySecurity
TechnicianTechnician

ITM 578 20
InfoSec Staffing Help Wanted
Definers provide the policies,
guidelines, and standards
Builders are the real techies, who
create and install security solutions
Operators run and administer the
security tools, perform security
monitoring, and continuously improve
processes

ITM 578 21
Chief Information Security Officer
 Top information security position in the
organization
– Not usually an executive
– Frequently reports to the CIO/CTO
 Qualifications & position requirements
– Often a CISSP
– Graduate degree
– Experience as a security manager
 Business managers first—technologists
second; must also be conversant in all areas
of security, including technical, planning,
and policy

ITM 578 22
CISO Functions
 Manage the overall InfoSec program
 Draft or approves information security policies
 Work with the CIO on strategic plans, develops
tactical plans, and work with security
managers on operational plans
 Develop InfoSec budgets based on funding
 Set priorities for InfoSec projects & technology
 Make decisions in recruiting, hiring, and firing
of security staff
 Act as spokesperson for the security team

ITM 578 23
Security Manager
 Accountable for the day-to-day operation of the
information security program
 Accomplishes objectives as identified by the CISO
 Qualifications and position requirements:
– Not uncommon to have a CISSP
– Traditionally, managers have earned the CISSP while
technical professionals earned the Global Information
Assurance Certification
– Must have the ability to draft middle- and lower-level
policies as well as standards and guidelines
– They must have experience in budgeting, project
management, and hiring and firing
– They must also be able to manage technicians, both in the
assignment of tasks and the monitoring of activities

ITM 578 24
Security Technician
 Technically qualified individuals tasked to
configure security hardware and software
 Tend to be specialized, focusing on one major
security technology and further specializing
in one software or hardware solution
 Qualifications and position requirements:
– Organizations prefer expert, certified, proficient
technicians
– Job descriptions cover some level of experience
with a particular hardware and software package
– Sometimes familiarity with a technology secures
an applicant an interview; however, experience
in using the technology is usually required

ITM 578 25
Internal Security Consultant
 Typically an expert in some aspect of
information security
 Usually preferable to involve a formal
security services company, it is not unusual
to find a qualified individual consultant
 Must be highly proficient in the managerial
aspects of security
 Information security consultants usually
enter the field after working as experts in
the discipline and often have experience as a
security manager or CISO

ITM 578 26
Credentials of Infosec Professionals
Many organizations seek recognizable
certifications to indicate proficiency
level associated with various security
positions
Most certifications are relatively new
and not fully understood by hiring
organizations

ITM 578 27
 Certifying bodies work hard to educate the
general public on value and qualifications
of their certificate recipients
 Employers trying to understand the match
between certifications and the position
requirements & candidates trying to gain
meaningful employment based on newly
received certifications

ITM 578 28
Certifications:
– Certified Information Systems Security
Professional (CISSP) & Systems Security
Certified Practitioner (SSCP) [(ISC)2
]
– Global Information Assurance Certification
(GIAC) [SANS Institute]
– Security Certified Professional (SCP) [SCP]
– TruSecure ICSA Certified Security Associate
(TICSA) & TruSecure ICSE Certified
Security Expert (TICSE) [TruSecure]

ITM 578 29
Certifications:
– Security+ [CompTIA]
– Certified Information Systems Auditor
(CISA) & Certified Information Security
Manager (CISM) [ISACA]
– Certified Information Forensics
Investigator (CIFI) [ISFA]
– Computer and Network Security
Technologies Graduate Certificate [IIT]

ITM 578 30
Cost of Being Certified
Certifications cost money, and the
better certifications can be quite
expensive - cost for training can also
be significant
Even an experienced professional finds
it difficult to sit for one of these exams
without some preparation

ITM 578 31
Cost of Being Certified
Many candidates teach themselves
through trade press books others
prefer the structure of formal training
Before attempting a certification exam,
do your homework and review the
exam criteria, its purpose and
requirements in order to ensure that
the time and energy spent pursuing
the certification are well spent

ITM 578 32
Preparing for Security Certification
FIGURE 11-3 Preparing for Security Certification
Self-Study Guides
Certification
Mentors & Study Partners
Work Experience Training Media Formal Training Programs

ITM 578 33
Advice for Information Security Professionals
 If you are a future information security
professional, you can benefit from these
suggestions on entering the information
security job market:
– Always remember: business first, technology last
– It’s all about the information
– Be heard and not seen
– Know more than you say, be more skillful than
you let on
– Speak to users, not at them
– Your education is never complete

ITM 578 34
Employment Policies and Practices
General management should integrate
solid information security concepts into
the organization’s employment policies
and practices
If the organization can include security
as a documented part of every
employee’s job description, perhaps
information security will be taken more
seriously

ITM 578 35
Hiring and Termination Issues
From an information security
perspective, the hiring of employees is
a responsibility laden with potential
security pitfalls
The CISO and information security
manager should establish a dialogue
with the Human Resources department
to provide an information security
viewpoint for hiring personnel

ITM 578 36
Hiring Issues
FIGURE 11-4 Hiring Issues
Certifications
Background Checks
Covenants &
Agreements
Policies
Contracts

ITM 578 37
Job Descriptions
Inserting information security
perspectives into the hiring process
begins with reviewing and updating all
job descriptions
To prevent people from applying for
positions based solely on access to
sensitive information, the organization
should avoid revealing access privileges
to prospective employees when
advertising positions

ITM 578 38
Interviews
 An opening within Information Security
opens up a unique opportunity for the
security manager to educate HR on the
certifications, experience, and qualifications
of a good candidate
 Information security should advise HR to
limit information provided to the candidate
on the responsibilities and access rights the
new hire would have
 For those organizations that include on-site
visits as part of interviews, it is important to
use caution when showing a candidate
around the facility

ITM 578 39
Background Checks
 A background check is an investigation into a
candidate’s past
 There are regulations that govern such investigations
 Background checks differ in the level of detail and
depth with which the candidate is examined:
– Identity checks
– Education and credential checks
– Previous employment verification
– References checks
– Worker’s Compensation history
– Motor vehicle records
– Drug history
– Credit history
– Civil court history
– Criminal court history

ITM 578 40
Fair Credit Reporting Act
 Federal regulations exist in the use of
personal information in employment
practices, including the Fair Credit
Reporting Act (FCRA)
 Background reports contain information on a
job candidate’s credit history, employment
history, and other personal data
 FCRA prohibits employers from obtaining
these reports unless the candidate is
informed

ITM 578 41
Employment Contracts
Once a candidate has accepted the job
offer, the employment contract becomes
an important security instrument
Many security policies require an
employee to agree in writing
– If an existing employee refuses to sign
these contracts, the security personnel are
placed in a difficult situation

ITM 578 42
Employment Contracts
New employees, however may find
policies classified as “employment
contingent upon agreement,”
whereby the employee is not offered
the position unless he/she agrees to
the binding organizational policies

ITM 578 43
New Hire Orientation
 As new employees are introduced into the
organization’s culture and workflow, they
should receive an extensive information
security briefing on all major policies,
procedures, and requirements for
information security
 The levels of authorized access are outlined,
and training provided on the secure use of
information systems
 By the time employees are ready to report to
their positions, they should be thoroughly
briefed, and ready to perform their duties
securely

ITM 578 44
On-the-Job Security Training
 As part of the new hire’s ongoing job
orientation, and as part of every employee’s
security responsibilities, the organization
should conduct periodic security awareness
training
 Keeping security at the forefront of
employees’ minds and minimizing employee
mistakes is an important part of the
information security awareness mission
 Formal external and informal internal
seminars also increase the level of security
awareness for all employees, especially
security employees

ITM 578 45
Performance Evaluation
 To heighten information security awareness
and change workplace behavior,
organizations should incorporate information
security components into employee
performance evaluations
 Employees pay close attention to job
performance evaluations, and if the
evaluations include information security
tasks, employees are more motivated to
perform these tasks at a satisfactory level

ITM 578 46
Termination
When an employee leaves an
organization, there are a number of
security-related issues
Key is protection of all information to
which employee had access

ITM 578 47
Termination Tasks
 When an employee leaves, several tasks must
be performed:
– Revoke access to the organization’s systems
– Return removable media
– Secure hard drives
– Change file cabinet locks
– Change office door lock
– Revoke keycard access
– Remove all personal effects from the organization’s
premises
 Once cleared—if circumstances dictate—
former employees should be escorted from the
premises

ITM 578 48
Exit Interview
 In addition, many organizations use an exit
interview
 Obtain feedback on the employee’s tenure in
the organization
 Remind the departing employee of
contractual obligations, such as
nondisclosure agreements
 Also remind departing employee that if they
fail to comply with contractual obligations,
civil or criminal action may result

ITM 578 49
Exit Scenarios
 From a security standpoint, security cannot
risk the exposure of organizational
information
 Simplest and best method to handle the
outprocessing of an employee is to select one
of the scenarios that follows, based on the
employee’s reasons for leaving
– Hostile departure (nonvoluntary) procedure:
termination, downsizing, lay off, or quitting
– Friendly departure (voluntary):
retirement, promotion, or relocation

ITM 578 50
Hostile Departure Procedure
 Termination, downsizing, lay off, or quitting
– Terminate all logical and keycard access before
employee is aware
– As soon as employee reports for work, employee is
escorted into supervisor’s office
– Upon receiving notice, employee is politely
escorted to working space and allowed to collect
personal belongings
– Employee asked to surrender all keys, keycards,
and other company property
– Former employee then politely escorted out of the
building

ITM 578 51
Friendly Departure Procedure
 Retirement, promotion, or relocation
– Employee may have tendered notice well in
advance of the actual departure date
– Actually makes it harder for security to maintain
positive control over the employee’s access and
information usage
– Employee access is usually allowed to continue
with a new expiration date
– Employees come and go at will and collect their
own belongings, and leave on their own
– Asked to drop off all organizational property
“on their way out the door”

ITM 578 52
Termination
 In all circumstances, offices and information
used by the employee must be inventoried,
their files stored or destroyed, and all
property returned to organizational stores
 It is possible that the employees foresee
departure well in advance, and begin
collecting organizational information or
anything that could be valuable in their
future employment

ITM 578 53
Termination (continued)
 Only by scrutinizing systems logs after the
employee has departed, and sorting out
authorized actions from systems misuse or
information theft can the organization
determine if there has been a breach of
policy or a loss of information
 In the event that information is illegally
copied or stolen, the action should be
declared an incident and the appropriate
policy followed

ITM 578 54
Security Considerations For Nonemployees
 A number of individuals who are not subject
to rigorous screening, contractual
obligations, and eventual secured
termination often have access to sensitive
organizational information
 Relationships with individuals in this
category should be carefully managed to
prevent a possible information leak or theft

ITM 578 55
Temporary Employees
 Temporary employees: hired by the organization to
serve in a temporary position or to supplement
existing workforce
 As they are not employed by the host organization,
they are often not subject to the contractual
obligations or general policies; if these individuals
breach a policy or cause a problem actions are
limited
 From a security standpoint, access to information for
these individuals should be limited to that necessary
to perform their duties
 Ensure that the temp’s supervisor restricts the
information to which they have access

ITM 578 56
Maintenance Personnel
 Internal maintenance and custodial
personnel who may have access to IT assets
need to have necessary clearances even if
handling these assets is not part of their
regular job
 Contract and warranty service personnel
need to be supervised when working on any
equipment with access to sensitive or
classified data
 Contract custodial personnel must be bonded

ITM 578 57
Contract Employees
 Contract employees are typically hired to
perform specific services for the organization
 The host company often makes a contract
with a parent organization rather than with
an individual for a particular task
 In a secure facility, all contract employees are
escorted from room to room, as well as into
and out of the facility
 There is also the need for certain restrictions
or requirements to be negotiated into the
contract agreements when they are activated

ITM 578 58
Consultants
 Consultants should be handled like contract
employees, with special requirements for
information or facility access requirements
integrated into the contract before these
individual are allowed outside the conference
room
 Security and technology consultants
especially must be prescreened, escorted, and
subjected to nondisclosure agreements to
protect the organization
 Just because you pay a security consultant,
doesn’t make the protection of your
information his or her number one priority

ITM 578 59
Business Partners
 Businesses find themselves in strategic alliances
with other organizations, desiring to exchange
information, integrate systems, or simply to discuss
operations for mutual advantage
 There must be a meticulous, deliberate process of
determining what information is to be exchanged, in
what format, and to whom
 Nondisclosure agreements and the level of security
of both systems must be examined before any
physical integration takes place, as system
connection means that the vulnerability of one
system is the vulnerability of all

ITM 578 60
Separation of Duties & Collusion
 The completion of a significant task that
involves sensitive information should
require two people using the check and
balance method to avoid collusion
– If one person has the authorization to access a
particular set of information, there may be
nothing to prevent this individual from copying it
and removing it from the premises
 Check and balance method requires two or
more people to conspire to commit an
incident, known as collusion.

ITM 578 61
 A similar concept is that of two-man control,
when two individuals review and approve
each other’s work before the task is
categorized as finished
 In two-man control, each person completely
finishes necessary work, and then submits it
to the co-worker.
 Each co-worker examines the work
performed, double checking the actions
performed, ensuring no errors or
inconsistencies exist

ITM 578 62
 Another control used is job rotation where
employees know each others job skills
 A mandatory vacation, of at least one
week, provides the ability to audit the
work
 Need-to-know and least privilege ensures
that no unnecessary access to data occurs,
and that only those individuals who must
access the data do so

ITM 578 63
Preventing Collusion
FIGURE 11-6 Preventing Collusion
Separation of Duties
Work is divided up.
Each team member
performs only his or her
portion of the task sequence.
Two-man control
Team members review
each other’s work

ITM 578 64
Privacy and the Security of Personnel Data
 Organizations are required by law to protect
employee information that is sensitive or
personal
 This includes employee addresses, phone
numbers, social security numbers, medical
conditions, and even names and addresses of
family and relatives
 This responsibility also extends to
customers, patients, and business
relationships

ITM 578 65
The End…
Discussion!

Security and personnel

More Related Content

What's hot

Similar to Security and personnel

More from Dhani Ahmad

Recently uploaded

Security and personnel

Editor's Notes