MODULE 7

Security and
Personnel

Upon completion of this material, you should be able to: I think we need to be
1 Describe where and how the information security function should be positioned paranoid optimists.
within organizations —Robert J. Eaton, Chairman
of the Board of Management,
2 Explain the issues and concerns related to staffing the information security DaimlerChrysler AG (Retired)
function
3 List and describe the credentials that information security professionals can earn
to gain recognition in the field
4 Discuss how an organization’s employment policies and practices can support
the information security effort
5 Identify special security controls and privacy considerations for personnel
management

Opening Scenario
Among Iris Majwubu’s morning e-mails was a message from Charlie Moody. As she read the subject line and opened the
message, Iris wondered why on earth the company CISO needed to see her. The e-mail read:
From: Charles Moody [[email protected]]
To: Iris Majwubu [[email protected]]
Subject: I need to see you
Iris,
Since you were a material witness in the investigation, I wanted to advise you of
the status of the Magruder case. We completed all of the personnel actions on this
matter yesterday, and it is now behind us.
I wanted to thank you for the key role you played in helping the Corporate
Security Department resolve this security matter in its early stages so no company
assets were compromised.
Please set up an appointment with me in the next few days to discuss a few things.
Charlie
262 Principles of Information Security

Two days later, Iris entered Charlie Moody’s office. He rose from his desk as she entered. “Come in, Iris,” Charlie said. “Have a seat.”
Nervously, she chose a chair closest to the door, not anticipating that Charlie would come around his desk and sit next to
her. As he took his seat, Iris noticed that the folder in his hand looked like her personnel file. She took a deep breath, unsure
exactly why Charlie had her file.
“I’m sure you’re wondering why I asked you to meet with me,” said Charlie. “The company really appreciates your efforts
in the Magruder case. Because you followed policy and acted so quickly, we avoided a significant loss. You were right to bring
that issue to your manager’s attention rather than confronting Magruder directly. You not only made the right choice, but
you acted quickly and showed a positive attitude throughout the whole situation—basically, I think you demonstrated an
information security mindset. And that’s why I’d like to offer you a transfer to Kelvin Urich’s security projects team. I think they
would really benefit from having someone like you on board.”
“I’m glad I was able to help,” Iris said, “but I’m not sure what to say. I’ve been a database administrator with the company
for almost three years. I really don’t know much about information security other than what I learned from the company
training and awareness sessions.”
“That’s not a problem,” Charlie said. “What you don’t know you can learn.” He smiled. “So how about it, are you interested
in the job?”
Iris said, “It does sound interesting, but to be honest I hadn’t been considering a career change.” She paused for a moment,
then added, “I am willing to think about it. But I have a few questions . . . .”

Introduction To Security And Personnel

When implementing information security, an organization must first address how to position and label the security
function. Second, the information security community of interest must plan for the function’s proper staffing or for
adjustments to the staffing plan. Third, the IT community of interest must assess the impact of information security
on every IT function and adjust job descriptions and documented practices accordingly. Finally, the general manage-
ment community of interest must work with information security professionals to integrate solid information security
concepts into the organization’s personnel management practices.
To assess the effect that changes will have on the organization’s personnel management practices, the organiza-
tion should conduct a behavioral feasibility study before the program is implemented—that is, during the planning
phase. The study should include an investigation into the levels of employee acceptance of change and resistance to it.
Employees often feel threatened when an organization is creating or enhancing an information security program. They
may perceive the program to be a manifestation of a “Big Brother” attitude and have questions such as the following:

Will management be monitoring my work or my e-mail?

Will information security staff go through my hard drive looking for evidence to fire me?
Will the information security changes affect how efficient and effective I am in my job?

As you have learned in other modules, resolving these sorts of doubts and reassuring employees about the role of
information security programs are fundamental objectives of implementation. Thus, it is important to gather employee
feedback early and respond to it quickly. This module explores the issues involved in positioning the information
security unit within the organization and in staffing the information security function. The module also discusses how
to manage the many personnel challenges that arise across the organization and demonstrates why these challenges
should be considered part of the organization’s overall information security program.
 Module 7 Security and Personnel 263

Positioning The Security Function

There are several valid choices for positioning the information security department within an organization. The
model commonly used by large organizations places information security within the information technology depart-
ment and usually designates a CISO (chief information security officer) or CSO (chief security officer) to lead the
function. The CISO most commonly reports directly to the company’s top computing executive: the CIO (chief
information officer) or vice president for IT. Such a structure implies that the goals and objectives of the CISO and
CIO are aligned, but this is not always the case. By its very nature, an information security program can sometimes
work at odds with the goals and objectives of the information technology department as a whole. The CIO, as
the executive in charge of the organization’s technology, strives for efficiency in the availability, processing, and
accessing of company information. Thus, anything that limits access or slows information processing can impede
the CIO’s mission.
The 2019 (ISC)2 Cybersecurity Workforce Study found that only 62 percent of organizations with 500 or more
employees were led by a CISO, while 27 percent were led by a senior IT executive. The numbers drop to 50 percent
and 30 percent, respectively, in organizations with fewer than 500 employees.1
The CISO’s function is more like that of an internal auditor in that the CISO must direct the information security
department to examine data in transmission and storage to detect suspicious traffic, and examine systems to discover
information security faults and flaws in technology, software, and employees’ activities and processes. These examina-
tions can affect the speed at which the organization’s information is processed and accessed. Because the addition of
multiple layers of security inevitably slows users’ access to information, information security may be viewed by some
employees as a hindrance to the organization’s operations. A good information security program maintains a careful
balance between access and security, and works to educate all employees about the need for necessary delays to
ensure the protection of critical information.
Because the goals and objectives of CIOs and CISOs tend to contradict each other, the trend among many
organizations has been to separate the information security function from the IT division. An article in the IT industry
magazine InformationWeek summarized the reasoning behind this trend quite succinctly: “The people who do and the
people who watch shouldn’t report to a common manager.”2 This sentiment was echoed in an ISO 27001 posting: “One
of the most important things in information security is to avoid conflict of interest; that is, to separate the operations
from control and audit.”3
A survey conducted by the consulting firm Meta Group found that while only 3 percent of its clients position the
information security department outside IT, these clients regarded such positioning as the mark of a forward-thinking
organization. Another group, Forrester Research, concludes that the traditional structure of the CISO or CSO reporting
to the CIO will be prevalent for years to come, but that it will begin to involve numerous variations in which different
IT sections report information to the CSO, and thereby provide IS departments the critical input and control they need
to protect the organization’s IT assets.4 In general, the data seems to suggest that while many organizations believe
the CISO or CSO should function as an independent, executive-level decision maker, information security and IT are
currently too closely aligned to separate into two departments.
In his book Information Security Roles and Responsibilities Made Easy, Charles Cresson Wood compiles the best
practices from many industry groups regarding the positioning of information security programs. According to Wood,
information security can be placed within any of the following organizational functions:5

IT, as a peer of other subfunctions such as networks, applications development, and the help desk
Physical security, as a peer of physical security or protective services
Administrative services, as a peer of human resources or purchasing
Insurance and risk management
The legal department

According to the 2015 SEC/CISE Threats to Information Protection Report, which included a snapshot of the state
of the industry:
Of those reporting they were the senior-most executive/manager responsible for security, exactly
half (50.0 percent) indicated they reported to a top IT executive (CIO, CTO, VP-IT, etc.), 9.7 percent
reported to a senior finance or accounting executive, and 5.6 percent reported to a senior operations
264 Principles of Information Security

executive (COO, CBO, etc.). Interestingly, 5.6 percent reported to some form of legal or regulatory
executive (general counsel, VP of regulatory compliance, etc.) and 20.8 percent reported to an
undisclosed general executive (VP, director). Of particular note were the 6.9 percent who indicated
they reported to a specialized risk management executive (chief risk officer or executive director for
risk management).
Only 15.5 percent of survey respondents reported directly to their company’s top executive. Also, 45.1 percent
had one executive between themselves and the top executive, while approximately 40 percent reported through three
or more levels. The distance between these individuals and strategic decision makers is unsettling.6
Once the proper position of information security has been determined, the challenge is to design a reporting
structure that balances the competing needs of each community of interest. The placement of information security
in the reporting structure often reflects the fact that no one actually wants to manage it; thus, the unit is moved from
place to place within the organization without regard for the impact on its effectiveness. Organizations should find a
rational compromise by placing information security where it can best balance its duty to monitor compliance with
its ability to provide the education, training, awareness, and customer service needed to make information security an
integral part of the organization’s culture. Also, the need to have the top security officer report directly to the executive
management group instead of just the CIO becomes critical, especially if the security department is positioned in the
IT function.

Staffing The Information Security Function

The selection of information security personnel is based on several criteria, some of which are not within the
control of the organization. Consider the fundamental concept of supply and demand. When the demand for
any commodity—for example, a critical technical skill—increases too quickly, supply initially fails to meet
demand. Many future IS professionals seek to enter the security market by gaining the skills, experience, and
credentials they need to meet this demand. In other words, they enter high-demand markets by changing jobs,
going to school, or becoming trained. Until the new supply reaches the demand level, organizations must pay the
higher costs associated with limited supply. Once the supply meets or exceeds the demand, organizations can
become more selective, and the amount they are willing to pay drops. Hiring trends swing back and forth like
a pendulum, from high demand and low supply to the other extreme of low demand and high supply, because
the economy is seldom in a state of equilibrium. In 2002, the information security industry enjoyed a period of
high demand, with relatively few qualified and experienced applicants available for organizations seeking their
services. The economic realities of 2003 through 2006—a climate of lower demand for all IT professionals—led
to more limited job growth for information security practitioners. From 2008 to 2014, the lackluster performance
of the U.S. economy stifled jobs across IT, not just in information security. Since 2015, the demand has begun
to skyrocket.
The latest forecasts for IT hiring in general and information security in particular project more openings than
in many previous years. According to the Bureau of Labor Statistics (BLS), employment of information security
analysts is projected to grow 31 percent from 2019 to 2029, which is much faster than the 4 percent average for all
occupations.7
The BLS data shown in Figure 7-1 only examines one set of security positions that it terms as “information security
analyst.” It does not consider the positions of a security manager or executive, or those of an IT administrator or
manager with information security responsibilities.
According to CyberSeek (cyberseek.org), there were more than a half million open cybersecurity and information
security jobs in the United States at the end of 2020. The cybersecurity supply/demand “heat map” shown in Figure 7-2
illustrates the demand on a per-state basis and provides a national summary.

For more information on job openings in information security, visit www.cyberseek.org and click on the
i Interactive map.
 Module 7 Security and Personnel 265

Source: U.S. Department of Labor.

Figure 7-1 BLS information for information security analysts

Source: cyberseek.org.

Figure 7-2 Cyberseek.org supply/demand heat map

266 Principles of Information Security

Perhaps more meaningful to this discussion is a recent (ISC)2 Cybersecurity Workforce Study, which states:

The cybersecurity workforce gap has increased since last year, primarily due to a global surge in
hiring demand. In the United States, the cybersecurity workforce gap is nearly 500,000. By combining
our U.S. cybersecurity workforce estimates and this gap data, we can calculate that the cybersecurity
workforce needs to grow by 62% in order to meet the demands of U.S. businesses today. Using the
workforce estimate of 2.8 million based on the 11 economies for which we provided a workforce
estimate and the global gap estimate of 4.07 million, we can estimate that the global workforce needs
to grow by 145%.8

This means that globally, the estimated shortage of qualified security personnel increased from 3 million to more
than 4 million from the 2018 study to the 2019 study. In the United States alone, it is estimated that we need another
310,000 security professionals just to keep up with current demand, and demand is increasing. In the (ISC) 2 study,
more than 65 percent of respondents worked in businesses with a shortage of cybersecurity staff, with more than half
indicating that the shortage puts their organization at risk.9

i To download the 2020 (ISC)2 Cybersecurity Workforce Study, visit www.isc2.org/Research/Workforce-Study.

Qualifications and Requirements

Several factors influence an organization’s hiring decisions. Because information security has only recently emerged
as a separate discipline, hiring in this field is complicated by a lack of understanding among organizations about what
qualifications an information security professional should possess. In many organizations, information security teams
currently lack established roles and responsibilities. Establishing better hiring practices in an organization requires
the following:
The general management community of interest should learn more about the skills and qualifications for
information security positions and IT positions that affect information security.
Upper management should learn more about the budgetary needs of information security and its positions.
This knowledge will enable management to make sound fiscal decisions for information security and the IT
functions that carry out many information security initiatives.
The IT and general management communities should grant appropriate levels of influence and prestige to
information security, especially to the role of CISO.

In most cases, organizations look for a technically qualified information security generalist who has a solid under-
standing of how an organization operates. In many fields, the more specialized professionals are more marketable. In
information security, however, overspecialization can be risky. It is important, therefore, to balance technical skills
with general knowledge about information security.
When hiring information security professionals, organizations frequently look for candidates who understand the
following:
How an organization operates at all levels
That information security is usually a management problem and is seldom an exclusively technical problem
How to work with people and collaborate with end users, and the importance of strong communications and
writing skills
The role of policy in guiding security efforts, and the role of education and training in making employees and
other authorized users part of the solution rather than part of the problem
Most mainstream IT technologies at a general level, not necessarily as an expert
The terminology of IT and information security
The threats facing an organization and how they can become attacks
How to protect an organization’s information assets from attacks
How business solutions, including technology-based solutions, can be applied to solve specific information
security problems
 Module 7 Security and Personnel 267

Entry into the Information Security Profession

Traditionally, information security professionals entered the field through one of two career paths. Some came from
law enforcement or the military, where they were involved in national security or cybersecurity. Others were technical
professionals—networking experts, programmers, database administrators, and systems administrators—who found
themselves working on information security applications and processes more often than traditional IT assignments.
Today there are an increasing number of security professionals who actually start their careers in security,
beginning as college students who select and tailor their degree programs to prepare for work in the field of information
security. According to the most recent data from the (ISC)2 Cybersecurity Workforce Study, 42 percent of respondents
started their careers with a job in security, with 56 percent selecting security as a career during their education and
65 percent intending to work in security throughout their career.10 Figure 7-3 illustrates the most common career path
options.

Military Information technology

Information security

Information security
Law enforcement college graduates

Figure 7-3 Career paths to information security positions

Source: This figure has multiple sources. Bottom left: © pio3/Shutterstock.com. Bottom right: ©
michaeljung/Shutterstock.com. Top right: © dotshock/Shutterstock.com. Center: © IM_photo/Shutterstock.com.
Top left: Gorodenkoff/Shutterstock.com.

Many hiring managers in information security prefer to recruit security professionals who have proven IT skills
and professional experience in another IT field. IT professionals who move into information security, however, tend
to focus on technology, sometimes in place of general information security issues. Organizations can foster greater
professionalism in the discipline by expanding beyond the hiring of proven IT professionals and instead filling positions
by matching qualified candidates to clearly defined roles in information security.

Information Security Positions

The use of standard job descriptions can increase the degree of professionalism in the information security field and
improve the consistency of roles and responsibilities among organizations. Organizations that expect to revise these
roles and responsibilities can consult Charles Cresson Wood’s book, Information Security Roles and Responsibilities
Made Easy, which offers a set of model job descriptions for information security positions. The book also identifies
the responsibilities and duties of IT staff members whose work involves information security.11 Figure 7-4 illustrates a
standard reporting structure for information security positions.
In an Information Security Roundtable interview with Andy Briney, Eddie Schwartz, then VP of Strategy at Guardent,
described security positions as being classified into one of three areas: those that define information security programs,
those that build the systems and create the programs to implement information security controls, and those that
268 Principles of Information Security

Chief Security
Officer
Information Security
Consultant

Information Security Physical Security

Manager Manager

Information Security Information Security Physical Security

Administrator Analyst / Engineer Officer

Figure 7-4 Positions in information security

administer information security control systems and programs that have been created. The “definers” are managers
who provide policy and planning and manage risk assessments. They are typically senior information security
managers—they have extensive and broad knowledge but not a lot of technical depth. The builders are techies who
create security technical solutions to protect software, systems, and networks. The administrators apply the techies’
tools in accordance with the decisions and guidance of the definers; they provide day-to-day systems monitoring and
use to support an organization’s goals and objectives. By clearly identifying which type of role it is seeking and then
classifying all applicants into these three types and matching them, the organization can recruit more effectively.12
Some examples of job titles shown in Figure 7-4 are discussed in the following sections.

Chief Information Security Officer (CISO)

Although the exact title may vary, the CISO is typically the top information security officer in the organization. As indi-
cated earlier in the module, the CISO is usually not an executive-level position, and frequently the person in this role
reports to the chief information officer. Though CISOs are business managers first and technologists second, they must
be conversant in all areas of information security, including the technical, planning, and policy areas. In many cases, the
CISO is the major definer or architect of the information security program. The CISO performs the following functions:
Manages the overall information security program for the organization
Drafts or approves information security policies
Works with the CIO on strategic plans, develops tactical plans, and works with security managers on opera-
tional plans
Develops information security budgets based on available funding
Sets priorities for the purchase and implementation of information security projects and technology
Makes decisions or recommendations for the recruiting, hiring, and firing of security staff
Acts as the spokesperson for the information security team
The most common certification for this type of position is the Certified Information Security Manager (CISM), which
is described later in this module. A bachelor’s degree is almost always required, and in some cases a graduate degree
is also preferred, although it may be from a number of possible disciplines, including information systems, computer
science, another information technology field, criminal justice, military science, business, or other fields related to
the broader topic of security.
A typical example of a CISO’s job description is shown here. The example has been edited for length and is from
a state government job posting, but it is very similar to postings in general industry.
Position: Chief Information Security Officer

Job duties: The Chief Information Security Officer reports to the state’s deputy division administrator
(DET) and is responsible for the statewide security program.
The CISO’s role is to provide vision and leadership for developing and supporting security initiatives.
The CISO directs the planning and implementation of enterprise IT system, business operation, and
 Module 7 Security and Personnel 269

facility defenses against security breaches and vulnerability issues. This individual is also responsible for
auditing existing systems while directing the administration of security policies, activities, and standards.

The CISO is responsible for providing regulatory oversight for information security. This oversight
includes the development of enterprise-wide policy, procedures, and guidance for compliance with
federal laws, regulations, and guidelines, and sound security and privacy practices. Additionally, the
CISO is responsible for reviewing security program documentation developed to ensure compliance and
further enhance security practices across all component agencies.

The CISO is responsible for deployed security across the enterprise, including platforms, networks, and
security tools. The CISO is also responsible for identifying and assessing internal and external threats,
vulnerabilities, and risks, as well as ensuring that robust monitoring, timely detection, containment,
and incident response are in place to mitigate the exposure caused by a breach. The CISO provides
leadership, guidance, direction, and authority for technology security across all corporate technology
departments, including measurements applicable to services provided.
The CISO is responsible for ensuring that workflow within the division runs smoothly so that new
technology projects are appropriately monitored for security risks and appropriate risk mitigation
requirements are efficiently set forth and appropriately designed and delivered with the newly developed
production system. Policies, procedures, technical standards, and architecture will need to be regularly
reviewed and updated to prevent unauthorized access of State of Wisconsin technology systems.

Special notes:

Due to the nature of the position, the Department of Administration will conduct a thorough
background check on applicant prior to selection.

Job knowledge, skills, and abilities:

General:

• Strong oral and written communication skills, including the ability to communicate business and technical
concepts and information effectively to a wide range of audiences, including the public
• Strong interpersonal skills, including the ability to work independently with high-level government offi-
cials, with business and IS managers and staff in federal, state, and local agencies, and with division and
department managers in a decentralized environment
• Strong project management skills
• Demonstrated ability to effectively interface with technical staff, senior management, and external parties
• Proven ability to plan and organize work, requiring an in-depth understanding of security issues and
ability to integrate into the work of others
• Ability to defend and explain difficult issues with respect to key decisions and positions to staff and senior
officials
• Experience in analyzing enterprise business and technology issues in a large corporation or government
organization
• Ability to establish credibility so decisions and recommendations are adopted
• Ability to identify appropriate members and develop effective teams with specific knowledge and skills
needed to develop solutions and make recommendations
• Resourcefulness in identifying and obtaining information sources needed to perform responsibilities
effectively

Technological/specific:

• Must be an intelligent, articulate, and persuasive leader who can serve as an effective member of the
senior management team and who is able to communicate security-related concepts to a broad range
of technical and nontechnical staff
• Security background, experience in business management, and professional expertise in security and law
• Strong technical background in information technology security
270 Principles of Information Security

• Knowledge of secure software development

• Computer/network investigation skills and forensics knowledge
• Extensive knowledge of networks as well as system, database, and applications security
• Demonstrated ability to work with management and staff at various levels of the organization to
implement sound security practices
• Ability to provide technical direction to security architects and project consultants to ensure appropriate
security requirements are set forth on new development efforts
• Knowledge of standards-based architectures, with an understanding of how to get there, including
compliance monitoring and enforceability
• Experience with business continuity planning, auditing, and risk management, as well as contract and
vendor negotiation
• Strong working knowledge of security principles (such as authentication, vulnerability testing, penetration
testing, auditing, crime scene preservation, and risk management) and security elements (such as locking
systems, evacuation methods, perimeter controls, VPNs, and firewalls)
• Certifications such as Certified Protection Professional (CPP), Certified Information Systems Manager
(CISM), or Certified Information Systems Security Professional (CISSP) preferred13

Chief Security Officer (CSO)

In some organizations, the CISO’s position may be combined with physical security responsibilities or may even
report to a security manager who is responsible for both logical (information) security and physical security. Such a
position is generally referred to as a CSO. The CSO must be capable and knowledgeable in both information security
requirements and the “guards, gates, and guns” approach to protecting the physical infrastructure, buildings, and
grounds of a business.
To qualify for this position, the candidate must demonstrate experience as a security manager and with planning,
policy, and budgets. As mentioned earlier, some organizations prefer to hire people with law enforcement experience.
The following is a typical example of a CSO’s job description:
Position: Director of Security

Responsibilities: Reporting to the Senior Vice President of Administration, the Director of

Corporate Security will be responsible for all issues related to the security and protection of the
company’s employees, executives, facilities, proprietary data, and information. Accountable for
the planning and design of the company’s security programs and procedures, this individual will
facilitate protection from and resolution of theft, threats, and other situations that may endanger
the well-being of the organization. Working through a small staff, the Director will be responsible
for executive protection, travel advisories, employee background checks, and a myriad of other
activities throughout the corporation on a case-by-case basis. The Director will serve as the
company’s chief liaison with law enforcement agencies and, most importantly, will serve as a
security consultant to all of the company’s autonomously run divisions. Travel requirements will be
extensive.
Qualifications: The ideal candidate will have a successful background with a federal law enforcement
agency, or other applicable experience, that will afford this individual an established network of
contacts throughout the country. Additional private industry experience with a sizeable corporation—or
as a consultant to same—is preferable. A proactive attitude with regard to security and protection is a
must. The successful candidate must be capable of strategically assessing ... client security needs and
have a track record in areas such as crisis management, investigation, facility security, and executive
protection. Finally, the candidate should have a basic understanding of the access and use of electronic
information services as they apply to security issues. We seek candidates who are flexible enough to
deal with varied business cultures and who possess the superior interpersonal skills to perform well in
a consulting role where recommendations and advice are sought and valued, but perhaps not always
acted upon. A college degree is required.14
 Module 7 Security and Personnel 271

Security Manager
Security managers are accountable for the day-to-day operation of the information security program. They accomplish
objectives identified by the CISO and resolve issues identified by technicians. Management of technology requires a
general understanding of that technology, but it does not necessarily require proficiency in the technology’s configura-
tion, operation, and fault resolution. Note that several positions have titles that contain the word manager or suggest
management responsibilities, but only people who are responsible for management functions, such as scheduling,
setting relative priorities, or administering budgetary control, should be considered true managers.
A candidate for this position often has a bachelor’s degree in technology, business, or a security-related field,
as well as a CISSP certification. Traditionally, managers earn the CISSP or CISM, and technical professionals earn
the Global Information Assurance Certification (GIAC). You will learn more about these certifications later in the
module.
Security managers must have the ability to draft middle- and lower-level policies as well as standards and guide-
lines. They must have experience in traditional business matters, such as budgeting, project management, and person-
nel management. They must also be able to manage technicians, both in the assignment of tasks and in the monitoring
of activities. Experience with business continuity planning is usually a plus.
The following is a typical example of a security manager’s job description. Note that there are several types of
security managers, as the position is much more specialized than that of a CISO’s. Thus, when applying for a job as a
security manager, you should read the job description carefully to determine exactly what the employer wants.
Position: Information Security Manager

Job description: This management position reports to the Chief Information Security Officer. The
successful candidate will manage the development of information security programs and control
systems in conformance with organizational policy and standards across the organization. This is
a high-visibility role that involves the day-to-day management of IT Security staff and their career
development. The principal accountabilities for this role are as follows:

• Develop and manage information security programs and control systems under the supervision of the
CISO in conjunction with the evolving information security architecture of the organization.
• Monitor performance of information security programs and control systems to maintain alignment with
organizational policy and common industry practices for emerging threats and technologies.
• Prepare and communicate risk assessments for business risk in software developments as well as ongo-
ing systems events (to include merger, acquisition, and divestiture) and ensure effective risk management
across the organization’s IT systems.
• Represent the information security organization in the organization’s change management process.
• Perform assigned duties in the area of incident response management and disaster recovery
response.
• Supervise assigned staff and perform other general management tasks as assigned, including budgeting,
staffing, and employee performance reviews.

Compare the preceding general job description with the following more specific job description found in a recent
advertisement:
Position: IT Security Compliance Manager

Job description: A job has arisen for an IT Security Compliance Manager reporting to the IT Security
Manager. In this role you will manage the development of the client’s IT security standards and operate
a compliance program to ensure conformance at all stages of the systems life cycle. This is a key,
hands-on role with the job holder taking an active part in the delivery of the compliance program. The
role will also involve the day-to-day management of IT security staff and their career development. The
principal accountabilities for this role are as follows:
• Develop and manage an IT security compliance program.
• Develop the client’s security standards in line with industry standards and emerging threats
and technologies.
272 Principles of Information Security

• Identify IT-related business risk in new software development and ensure that effective risk management
solutions are identified and complied with.
• Manage and conduct IT security compliance reviews in conjunction with operational and IT audit staff.
• Conduct investigations into security breaches or vulnerabilities.

Candidate profile: The ideal candidate should have five years’ experience of managing the
implementation of technical security controls and related operational procedures and must have sound
business risk management skills. You must have a flexible approach to working and must be able and
willing to work unsociable hours to meet the demands of the role.15

The second example illustrates the confusion in the information security field regarding job titles and reporting
relationships. The first job description identifies responsibilities for the position and describes points where
information security interacts with other business functions, but the second spreads responsibilities among several
business functions and does not seem to reflect a clearly defined role for the position or the information security
unit within the organization. Until some similarity in job titles and expected roles and responsibilities emerges,
information security job candidates should carefully research open positions instead of relying solely on the job
title.

Security Analyst
Security analysts, also commonly referred to as security technicians, security architects, or security engineers, are
technically qualified employees who are tasked to configure firewalls, deploy IDPSs, implement security software,
diagnose and troubleshoot problems, and coordinate with systems and network administrators to ensure that an
organization’s security technology is properly implemented. A security analyst is often an entry-level position, but to
be hired for this role, candidates must possess some technical skills. This often poses a dilemma for applicants, as
many find it difficult to get a job in a new field without experience—they can only attain such experience by getting
a job. As in the networking arena, security analysts tend to specialize in one major security technology group (such
as firewalls, IDPSs, servers, routers, or software) and in one particular software or hardware package (such as Check
Point firewalls, Palo Alto firewalls, or Tripwire IDPSs). These areas are sufficiently complex to warrant a high level of
specialization, but to move up in the corporate hierarchy, security analysts must expand their knowledge horizon-
tally—that is, they must gain an understanding of general organizational issues related to information security and
its technical areas. Many of these tasks rely on the ability to work with security information and event management
(SIEM) systems in widespread use.
The technical qualifications and position requirements vary for a security analyst. Organizations prefer an expert,
certified, proficient technician. Regardless of the area of needed expertise, the job description covers some level of
experience with a particular hardware and software package. Sometimes, familiarity with a technology secures an
applicant an interview; however, actual experience in using the technology is usually required. The following is a typi-
cal job announcement for a security analyst:

Position: Firewall Engineering Consultant

Job Description: Working for an exciting customer-focused security group within one of the largest
managed network providers in the country. You will have the opportunity to expand your experience
and gain all the technical and professional support to achieve within the group. Must have experience
with third-line technical support of firewall technologies. Check Point certified. Experienced in Nokia
systems.

Package: Possible company car, discretionary bonus, private health care, on-call pay, and overtime
pay.16

Because overtime and on-call pay are listed, this job is probably an hourly position rather than a salaried one,
which is not uncommon for security analysts.
 Module 7 Security and Personnel 273

Credentials For Information Security Professionals

As mentioned earlier, many organizations seek industry-recognized certifications to screen candidates for the required
level of technical proficiency. Unfortunately, however, most existing certifications are relatively new and not fully
understood by hiring organizations. The certifying bodies are working hard to educate employers and professionals
on the value and qualifications of their certificate programs. In the meantime, employers are trying to understand
the match between certifications and position requirements, and hopeful professionals are trying to gain meaningful
employment based on their new certifications.
There are many certifications available to a security professional. Some of the more prominent are covered here.
Beyond these are a variety of certifications in related areas, such as digital forensics, networking, and other comput-
ing domains. Note that the requirements for these certifications are constantly evolving and may differ from what is
shown here. Those interested in certification should always verify the current requirements from the vendor before
attempting the exam.

(ISC)2 Certifications
The International Information Systems Security Certification Consortium, known as (ISC)2, offers security certifications
such as the Certified Information Systems Security Professional (CISSP), the Systems Security Certified Practitioner
(SSCP), and the Certified Secure Software Lifecycle Professional (CSSLP). You can visit the Web site at www.isc2.org.

CISSP
The CISSP certification is considered the most prestigious for security managers and CISOs. It recognizes mastery of
an internationally identified Common Body of Knowledge (CBK) in information security. To sit for the CISSP exam, the
candidate must have at least five years of direct, full-time experience as a security professional working in at least two
of the eight domains of information security knowledge, or four years of direct security work experience in two or
more domains. The candidate must also have a four-year college degree.
The CISSP exam consists of 100 to 150 multiple-choice questions and must be completed within six hours. It tests
candidates on their knowledge of the following eight domains:

Security and risk management

Asset security
Security architecture and engineering
Communication and network security
Identity and access management
Security assessment and testing
Security operations
Software development security

CISSP certification requires successful completion of the exam and an endorsement. Once candidates successfully
complete the exam, they have nine months to submit an endorsement by an actively credentialed CISSP or by their employer
as validation of their professional experience. After earning the certification, the CISSP holder must earn 120 hours of
continuing professional education (CPE) every three years, with a minimum of 20 hours per year. The breadth and depth
of each of the eight domains makes CISSP certification one of the most challenging to obtain in information security.17

CISSP Concentrations In addition to the major certifications that (ISC)2 offers, a number of concentrations are
available for CISSPs to demonstrate advanced knowledge beyond the CISSP CBK. Each concentration requires that the
applicant be a CISSP in good standing, pass a separate examination, and maintain the certification through continuing
professional education. These concentrations and their respective areas of knowledge are shown in the following list
and presented on the (ISC)2 Web site:

CISSP-ISSAP®: Information Systems Security Architecture Professional

• Architect for Governance, Compliance and Risk Management
• Security Architecture Modeling
• Infrastructure Security Architecture
274 Principles of Information Security

• Identity and Access Management (IAM) Architecture

• Architect for Application Security
• Security Operations Architecture

CISSP-ISSEP: Information Systems Security Engineering Professional

• Security Engineering Principles
• Risk Management
• Security Planning, Design, and Implementation
• Secure Operations, Maintenance, and Disposal
• Systems Engineering Technical Management

CISSP-ISSMP: Information Systems Security Management Professional

• Leadership and Business Management

• Systems Lifecycle Management
• Risk Management
• Threat Intelligence and Incident Management
• Contingency Management
• Law, Ethics, and Security Compliance Management18

SSCP
Because it is difficult to master the broad array of knowledge encompassed in the eight domains covered by the
flagship CISSP exam, many security professionals seek less rigorous certifications, such as (ISC)2’s SSCP certification.
The SSCP also has lower professional experience requirements than the CISSP and focuses on practices, roles, and
responsibilities as defined by experts from major information security industries.19 The SSCP certification is more
applicable to a security administrator than to a technician, as the bulk of its questions focus on the operational
nature of security. Nevertheless, information security analysts who seek advancement may find that achieving some
certifications can help them move up.
The SSCP exam consists of 125 multiple-choice questions and must be completed within three hours. The exam
covers seven domains:
Access controls
Security operations and administration
Risk identification, monitoring, and analysis
Incident response and recovery
Cryptography
Network and communications security
Systems and application security20

Many consider the SSCP to be a scaled-down version of the CISSP. The seven domains are not a subset of the CISSP
domains; they contain slightly more technical content. As with the CISSP, SSCP holders must either earn continuing
education credits to retain the certification or retake the exam.

CSSLP
The Certified Secure Software Lifecycle Professional (CSSLP) is another (ISC)2 certification focused on the development
of secure applications. To qualify for the CSSLP, you must have at least four years of recent experience in one or more
of the following eight domains:
Secure software concepts
Secure software requirements
Secure software architecture and design
Secure software implementation
Secure software testing
 Module 7 Security and Personnel 275

Secure software lifecycle management

Secure software deployment, operations, and maintenance
Secure software supply chain21
You must compose an essay in each of your four areas of expertise and submit it as your exam. This test is radically
different from the multiple-choice exams (ISC)2 normally administers. Once your experience has been verified and you
successfully complete the essay exam, you can be certified. If necessary, you can qualify as an (ISC)2 Associate until
you obtain the requisite experience to qualify for the CSSLP.

CAP
For people who work with the NIST Risk Management Framework, the Certified Authorization Professional is a certifi-
cation that focuses on the deployment of the RMF, mainly in the government and the Department of Defense, but also
in other public or private sectors. The CAP certification covers seven domains:

Information security risk management program

Categorization of information systems (IS)
Selection of security controls
Implementation of security controls
Assessment of security controls
Authorization of information systems (IS)
Continuous monitoring22

To qualify for this certification, candidates must have at least two years of work experience in one or more of the
domains and pass the certification exam.

HCISPP
A new and relevant certification for information security professionals working in the healthcare field is the HealthCare
Information Security and Privacy Practitioner (HCISPP). Similar to the CISSP but focused on security management top-
ics and healthcare, this certification requires the candidate to demonstrate knowledge in six domains:

Healthcare industry
Information governance in healthcare
Information technologies in healthcare
Regulatory and standards environment
Privacy and security in healthcare
Risk management and risk assessment23
Candidates must have two or more years of experience in at least one of these domains and at least one year of
experience in the top three domains (healthcare industry, regulatory environment, or privacy and security in healthcare).
The other year can be in any of the other domains and does not have to be experience in the healthcare field.

CCSP
Completing the list of new (ISC)2 certifications is the Certified Cloud Security Professional. This certification, cospon-
sored by the Cloud Security Alliance, is aimed at professionals who are primarily responsible for specifying, acquiring,
securing, and managing cloud-based services for their organization. The CCSP covers six domains:
Architectural concepts and design requirements
Cloud data security
Cloud platform and infrastructure security
Cloud application security
Operations
Legal and compliance

There are endorsement, experience, and continuing education requirements for this certification, as with all
previously mentioned (ISC)2 certifications.
276 Principles of Information Security

Associate of (ISC)2
(ISC)2 has an innovative approach to the experience requirement in its certification program. Its Associate of (ISC)2
program is geared toward people who want to earn a certification but don’t have the requisite experience. Candidates
who pass any of the described (ISC)2 exams, agree to subscribe to the (ISC)2 code of ethics, maintain continuing profes-
sional education (CPE) credits, and pay the appropriate fees can maintain their status as an associate until they have
logged the required years of experience. They then receive the certification they’ve passed the exam for.

i For more information on any of the (ISC)2 certifications, visit www.isc2.org.

ISACA Certifications
ISACA (www.isaca.org) also offers several reputable security certifications, including the Certified Information Security
Manager (CISM), Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control
(CRISC), Certified in the Governance of Enterprise IT (CGEIT), and the Certified Data Privacy Solutions Engineer (CDPSE).

CISM
The CISM credential is geared toward experienced information security managers and others who may have similar
management responsibilities. The CISM can assure executive management that a candidate has the required
background knowledge needed for effective security management and consulting. This exam is offered annually. The
CISM examination covers the following practice domains:
Information security governance (24 percent)
Information risk management (30 percent)
Information security program development and management (27 percent)
Information security incident management (19 percent)24
To be certified, the applicant must do the following:

Pass the examination.

Adhere to a code of ethics promulgated by ISACA.
Pursue continuing education as specified.
Document five years of information security work experience with at least three years in information security
management in three of the four defined areas of practice.

CISA
The CISA credential is not specifically a security certification, but it does include many information security compo-
nents. ISACA touts the certification as being appropriate for auditing, networking, and security professionals. CISA
requirements are as follows:
Successful completion of the CISA examination
Experience as an information security auditor, with a minimum of five years’ professional experience in infor-
mation systems auditing, control, or security
Agreement to the Code of Professional Ethics
Payment of maintenance fees, a minimum of 20 contact hours of continuing education annually, and a minimum
of 120 contact hours during a fixed three-year period
Adherence to the Information Systems Auditing Standards

The exam covers the following areas of information systems auditing:

Information systems auditing process (21 percent)
Governance and management of IT (17 percent)
Information systems acquisition, development, and implementation (12 percent)
Information systems operations and business resilience (23 percent)
Protection of information assets (27 percent)25
 Module 7 Security and Personnel 277

CRISC
Another valuable ISACA certification is the Certified in Risk and Information Systems Control (CRISC). The certification
is targeted at managers and employees with knowledge and experience in risk management. The CRISC areas of knowl-
edge include risk management components, making it an interesting certification for upper-level information security
managers. The exam covers the following areas, as described in ISACA’s 2020 Exam Candidate Information Guide:
IT risk identification (27 percent)
IT risk assessment (28 percent)
Risk response and mitigation (23 percent)
Risk and control monitoring and reporting (22 percent)26
The certification requires the candidate to have a minimum of three years’ experience in risk management and
information systems control in at least two of the stated domains, and at least one year of that experience must be
in one of the first two domains, although the candidate may elect to take the exam before fulfilling the experience
requirement. This practice is accepted and encouraged by ISACA, but the candidate will not receive the certification
until the experience requirement is met.

CGEIT
Also available from ISACA is the Certified in the Governance of Enterprise IT (CGEIT) certification. The exam is tar-
geted at upper-level executives, including CISOs and CIOs, directors, and consultants with knowledge and experience
in IT governance. The CGEIT areas of knowledge include risk management components, which make it an interesting
certification for upper-level information security managers. The exam covers the following areas:
Governance of enterprise IT (40 percent)
Benefits realization (26 percent)
Risk optimization (19 percent)
IT resources (15 percent)27
The certification requirements are similar to those for other ISACA certifications. Candidates must have at least
one year of experience in IT governance and additional experience in at least two of the domains listed.

CDPSE
One of the newest certifications available from ISACA is the Certified Data Privacy Solutions Engineer (CDPSE), which
focuses on protecting customers’ personal information. The certification also addresses data life cycles, privacy compliance,
and best data practices from a data scientist or data analyst’s perspective. The CDPSE exam covers the following areas:
Privacy governance (34 percent)
Privacy architecture (36 percent)
Data life cycle (30 percent)28
The certification is so new that ISACA is offering early adopters the opportunity to receive the certification without
taking the exam if they document at least five years’ experience and expertise in two or more of the domain areas.
Current holders of other ISACA certifications can reduce this requirement to three years’ experience.

i For more information on any of the ISACA certifications, visit www.isaca.org.

SANS Certifications
In 1999, the SANS Institute—formerly known as the SysAdmin, Audit, Network, and Security Institute (www.sans
.org)—developed a series of technical cybersecurity certifications currently offered under the Global Information
Assurance Certification (GIAC; www.giac.org). GIAC certifications not only test for knowledge, they require candidates
to demonstrate application of that knowledge. With the introduction of the GIAC Information Security Professional
(GISP), the GIAC Security Leadership Certification (GSLC), and several new managerial certifications, SANS now
offers more than just technical certifications. The GIAC family of certifications includes more than 40 certifications
278 Principles of Information Security

in six focus areas: offensive security, cyber defense, cloud security, industrial control systems, digital forensics and
incident response and management, and legal and audit. Unlike other certifications, some GIAC certifications require
applicants to complete a written practical assignment that tests their ability to apply skills and knowledge. These
assignments are submitted to the SANS Information Security Reading Room for review by security practitioners,
potential certificate applicants, and others with an interest in information security. Only when the practical assignment
is complete is the candidate allowed to take the online exam.
The GIAC certifications as of 2020 are shown in Table 7-1.

Table 7-1 Roadmap of GIAC Certifications29

GIAC Certification Level

Cyber Defense Focus Area
GISF: GIAC Information Security Fundamentals Introductory
GSEC: GIAC Security Essentials Intermediate
GOSI: GIAC Open Source Intelligence Advanced
GCED: GIAC Certified Enterprise Defender Advanced
GPPA: GIAC Certified Perimeter Protection Analyst Advanced
GCIA: GIAC Certified Intrusion Analyst Advanced
GCWN: GIAC Certified Windows Security Administrator Advanced
GCUX: GIAC Certified UNIX Security Administrator Advanced
GMON: GIAC Continuous Monitoring Certification Advanced
GDSA: GIAC Defensible Security Architecture Advanced
GCDA: GIAC Certified Detection Analyst Advanced
GCCC: GIAC Critical Controls Certification Advanced
GDAT: GIAC Defending Advanced Threats Advanced
Industry Control Systems Focus Area
GICSP: Global Industrial Cyber Security Professional Intermediate
GRID: GIAC Response and Industrial Defense Advanced
GCIP: GIAC Critical Infrastructure Protection Advanced
Offensive Security Focus Area
GCIH: GIAC Certified Incident Handler Intermediate
GEVA: GIAC Enterprise Vulnerability Assessor Advanced
GPEN: GIAC Certified Penetration Tester Advanced
GWAPT: GIAC Web Application Penetration Tester Advanced
GPYC: GIAC Python Coder Advanced
GMOB: GIAC Mobile Device Security Analyst Advanced
GAWN: GIAC Assessing Wireless Networks Advanced
GXPN: GIAC Exploit Researcher and Advanced Penetration Tester Advanced
Digital Forensics & Incident Response Focus Area
GCFE: GIAC Certified Forensics Examiner Intermediate
GBFA: GIAC Battlefield Forensics and Acquisition Intermediate
GCFA: GIAC Certified Forensic Analyst Advanced
GNFA: GIAC Network Forensic Analyst Advanced
GCTI: GIAC Cyber Threat Intelligence Advanced
GASF: GIAC Advanced Smartphone Forensics Advanced
GREM: GIAC Reverse Engineering Malware Advanced
(continues)
 Module 7 Security and Personnel 279

Table 7-1 Roadmap of GIAC Certifications (Continued)

GIAC Certification Level

Cloud Security Focus Area
GWEB: GIAC Certified Web Application Defender Advanced
GCSA: GIAC Cloud Security Automation Advanced
Management & Leadership Focus Area
GISP: GIAC Information Security Professional Intermediate
GSLC: GIAC Security Leadership Certification Advanced
GSTRT: GIAC Strategic Planning, Policy, and Leadership Advanced
GCPM: GIAC Certified Project Manager Certification Advanced
GLEG: GIAC Law of Data Security & Investigations Advanced
GSNA: GIAC Systems and Network Auditor Advanced
GIAC Security Expert
GSE: GIAC Security Expert Expert

Most GIAC certifications are offered in conjunction with SANS training.

i For more information on the GIAC security-related certification requirements, visit www.giac.org/certifications/.

EC-Council Certifications
Another competitor in certifications for security management, EC-Council (www.eccouncil.org), now offers a variety
of certifications across both technical and managerial topics. These certifications are organized into six domains:
Security Awareness, Fundamentals, Core, Specialist, Advanced, and Management. The certifications offered are listed
here; many are accompanied by training.

Security Awareness
Secure Computer User
Fundamentals
Encryption Specialist
Security Specialist

Core
Certified Network Defender
Certified Ethical Hacker
CEH (Master)
Network Defense Architect
Specialist
Certified Threat Intelligence Analyst
Incident Handler
Forensic Investigator
Application Security Engineer—Java
Application Security Engineer—.NET
Disaster Recovery Professional

Advanced
Certified Penetration Testing Professional
Advanced Penetration Testing
280 Principles of Information Security

Licensed Penetration Tester

Advanced Network Defense
Certified SOC Analyst
Management
EC-Council Information Security Manager
Certified Chief Information Security Officer
The Certified CISO (CCISO) certification is designed to be a unique recognition for those at the peak of their profes-
sional careers. The CCISO tests security domain knowledge and knowledge of executive business management. The
CCISO includes the following domains:

Governance and risk management

Information security controls, compliance, and auditing management
Security program management and operations
Information security core competencies
Strategic planning, finance, procurement, and vendor management30

Before you can take the CCISO exam, EC-Council requires five years’ experience in at least three of the domains.
Those not meeting the experience requirements can take the EISM exam, which is described as a “light version of the
CCISO exam,”31 and then receive a discount on the CCISO exam when they’ve earned the necessary experience.

CompTIA Certifications
CompTIA (www.comptia.com)—the organization that offered the first vendor-neutral professional IT certifications, the
A+ series—also offers security-related programs: the Security+, Cybersecurity Analyst+, PenTest+, and the CompTIA
Advanced Security Professional+ Certifications.

Security+
The CompTIA Security+ certification tests for entry-level security knowledge. Candidates should have two years of
on-the-job networking experience. CompTIA Security+ curricula are taught at colleges, universities, and commercial
training centers around the globe. CompTIA Security+ is used as an elective or prerequisite to advanced vendor-specific
and vendor-neutral security certifications.

The CompTIA Security+ certification exam will verify that the successful candidate has the knowledge
and skills required to assess the security posture of an enterprise environment and recommend and
implement appropriate security solutions; monitor and secure hybrid environments, including cloud,
mobile, and IoT; operate with an awareness of applicable laws and policies, including principles of
governance, risk, and compliance; identify, analyze, and respond to security events and incidents.32

CySA+
The Cybersecurity Analyst+ certification from CompTIA is an intermediate certification with both knowledge-based
and performance-based assessment. This certification focuses on incident response activities, including networking
security, security operations, and vulnerability assessment and remediation. CompTIA recommends that candidates
have a Security+ or Network+ level of knowledge and four years of related experience.
The CompTIA Cybersecurity Analyst (CySA+) certification verifies that successful candidates have the
knowledge and skills required to leverage intelligence and threat detection techniques, analyze and
interpret data, identify and address vulnerabilities, suggest preventative measures, and effectively
respond to and recover from incidents.33

PenTest+
One of the newer certifications from CompTIA is the Penetration Tester Plus certification, which includes both the
managerial and technical skills needed to investigate and examine systems for potential vulnerabilities and susceptibility
to successful attacks. The certification includes both traditional knowledge-based questions and hands-on performance
 Module 7 Security and Personnel 281

assessments as it evaluates the candidate’s ability to exploit systems and manage the vulnerabilities identified. Like
the CySA+, CompTIA recommends that the candidate possess a Security+ certification level of knowledge and at least
three to four years of experience.
The CompTIA PenTest+ certification verifies that successful candidates have the knowledge and skills
required to plan and scope an assessment, understand legal and compliance requirements, perform
vulnerability scanning and penetration testing, analyze data, and effectively report and communicate
results.34

CASP+
CompTIA’s Advanced Security Professional+ certification is designed to build upon the knowledge of the Security+
and CySA+ certifications and to assess an advanced understanding of risk, security controls, cryptography, cloud
security, virtualization, and the enterprise security domain. CompTIA recommends that candidates possess at least 10
years of experience in the field before attempting the exam, which contains both knowledge- and performance-based
assessments.

CASP+ covers the technical knowledge and skills required to conceptualize, engineer, integrate,
and implement secure solutions across complex environments to support a resilient enterprise.35

Cloud Security Certifications

A rapidly emerging area of certification among companies and organizations involves the deployment of cloud-based
information systems. For example, Amazon offers a foundational certificate, three associate-level certificates, two
professional-level certificates, and three specialty certificates. You can learn more at the AWS Certification Web site
(https://aws.amazon.com/certification/), where you can “validate technical skills and cloud expertise to grow your
career and business.” Other cloud service companies offer similar certification programs. In addition, vendor-neutral
cloud security certifications are available, as previously discussed.

Certification Costs
Certifications cost money, and the more preferred certifications can be expensive. Individual certification exams can
cost $750 or more, and certifications that require multiple exams can cost thousands of dollars. In addition, the cost
of formal training to prepare for the exams can be significant. While you should not rely completely on certification
preparation courses as groundwork for a real-world position, they can help you round out your knowledge and fill in
gaps. Some certification exams, such as the CISSP, are very broad; others, such as GIAC specializations, are very tech-
nical. Given the nature of the knowledge needed to pass the examinations, most experienced professionals find the
tests difficult without at least some review. Many prospective certificate holders engage in individual or group study
sessions and purchase one of the many excellent exam review books on the subject.
Certifications are designed to recognize experts in their respective fields, but the cost of certification serves to
deter those who might take the exam just to see if they can pass. Most examinations require years of work experience,
with some programs requiring that candidates document such experience before they are permitted to sit for the
exams or receive the certification.
Before attempting a certification exam, do your homework. Look into the exam’s stated body of knowledge as well
as its purpose and requirements to ensure that the time and energy spent pursuing the certification are worthwhile.
Figure 7-5 shows several approaches to preparing for security certification.
On the topic of professional certification for information security practitioners, Charles Cresson Wood reports
the following:
With résumé fraud on the rise, one of the sure-fire methods for employers to be sure that the
people they hire are indeed familiar with the essentials of the field is to insist that they have certain
certifications. The certifications can then be checked with the issuing organizations to make sure that
they have indeed been conferred on the applicant for employment. . . . Professional certifications
are relevant primarily to centralized information security positions. They are not generally relevant
282 Principles of Information Security

Self-study guides Certification Mentors and study partners

Work experience Training media Formal training programs

Figure 7-5 Preparing for security certification

Source: This figure has multiple sources. Top left: © Hong Vo/Shutterstock.com. Bottom left: © Phovoir/Shutterstock.com.
Bottom center: © Petinov Sergey Mihilovich/Shutterstock.com. Bottom right: © ESB Professional/Shutterstock.com. Top
right: © Goodluz/Shutterstock.com.

to staff working in decentralized information security positions, unless these individuals intend to
become information security specialists. You may also look for these certifications on the résumés
of consultants and contractors working in the information security field. You may wish to list these
designations in help-wanted advertisements, look for them on résumés, and ask about them during
interviews. Automatic résumé scanning software can also be set up to search for these strings of
characters.36

Advice for Information Security Professionals

As a future information security professional, you may benefit from the following suggestions:
Always remember: business before technology. Technology solutions are tools for solving business problems.
Information security professionals are sometimes guilty of looking for ways to apply the newest technology
to problems that do not require technology-based solutions.
When evaluating a problem, look at the source of the problem first, determine what factors affect the problem,
and see where organizational policy can lead you in designing a solution that is independent of technology.
Then use technology to deploy the controls necessary for implementing the solution. Technology can provide
elegant solutions to some problems, but it only exacerbates others.
Your job is to protect the organization’s information and information system resources. Never lose sight of
the goal: protecting the organization’s information assets from losses. Some people get so wrapped up in the
technology or implementation details that they lose track of the primary mission.
Be heard and not seen. Information security should be transparent to users. With minor exceptions, the actions
taken to protect information should not interfere with users’ actions. Information security supports the work
of end users, not the other way around. The only routine communications from the security team to users
should be periodic awareness messages, training announcements, newsletters, and e-mails.
 Module 7 Security and Personnel 283

Know more than you say, and be more skillful than you let on. Don’t try to impress users, managers, and other
nontechnical people with your level of knowledge and experience. One day you just might run into a Jedi
master of information security who puts you in your place.
Speak to users, not at them. Use their language, not yours. Users aren’t impressed with technobabble and
jargon. They may not comprehend all the TLAs (three-letter acronyms), technical components, software, and
hardware necessary to protect their systems, but they do know how to short-circuit your next budget request
or pick out the flaws in your business report.
Your education is never complete. As sensitive as you are to the fact that information technology is ever-
evolving, you must be equally sensitive to the fact that information security education is never complete.
Just when you think you have mastered the latest skills, you will encounter changes in threats, protection
technology, your business environment, or the regulatory environment. As a security professional, you
must expect to continue the learning process throughout your career. This is best accomplished by
seeking out periodic seminars, training programs, and formal education. Even if the organization or your
pocketbook cannot afford the more extensive and expensive training programs and conferences, you can
keep abreast of the market by reading trade magazines, textbooks, and news articles about security.
You can also subscribe to the many mailing lists for information security professionals. Join at least one
professional information security association, such as the Information Systems Security Association
(www.issa.org). Whatever approach you take, keep on top of the reading, never stop learning, and
make yourself the best-informed security professional possible. It can only enhance your worth to the
organization and your career.

Employment Policies And Practices

To create an environment in which information security is taken seriously, an organization should make it a documented
part of every employee’s job description. In other words, the general management community of interest should
integrate solid concepts for information security into the organization’s employment policies and practices. This
section examines important information security issues associated with recruiting, hiring, firing, and managing human
resources in an organization.
From an information security perspective, the hiring of employees is a responsibility laden with potential security
pitfalls. Therefore, the CISO and information security manager should work with the human resources department to
incorporate information security into the guidelines used for hiring all personnel. Figure 7-6 and several of the following
sections highlight some of the hiring issues.

Certifications Policies

Background checks

Covenants and agreements Contracts

Figure 7-6 Hiring issues

Source: This figure has multiple sources. Top left: The Federal Bureau of Investigation.
Bottom center: © Andrey_Popov/www.Shutterstock.com.
284 Principles of Information Security

Job Descriptions
Integrating information security into the hiring process begins with reviewing and updating all job descriptions. To
prevent people from applying for positions based solely on access to sensitive information, the organization should
avoid revealing access privileges to prospective employees when it advertises open positions.

Interviews
Some interviews with job candidates are conducted with members of the human resources (HR) staff, while others
include members of the department for which the position is being offered. An opening within the information secu-
rity department creates a unique opportunity for the security manager to educate HR on various certifications and
the specific experience each certification requires, as well as the qualifications of a good candidate. In all other areas
of the organization, information security staff should advise HR to limit information provided to the candidate about
responsibilities and access rights of the new hire. For organizations that include on-site visits as part of their initial
or follow-up interviews, it is important to exercise caution when showing a candidate around the facility. Avoid tours
through secure and restricted sites. Candidates who receive tours may be able to retain enough information about
operations or information security functions to become a threat.

Background Checks
A background check should be conducted before an organization extends an offer to a job candidate. A background
check is an investigation into the candidate’s past that looks for criminal behavior or other types of behavior that could
indicate potential for future misconduct. Several government regulations specify what the organization can investigate
and how much of the information uncovered can be allowed to influence the hiring decision. The security manager
and HR manager should discuss these matters with legal counsel to determine what state, federal, and perhaps inter-
national regulations affect the hiring process.
Background checks differ in the level of detail and depth with which they examine a candidate. In the military,
background checks determine the candidate’s level of security classification, a requirement for many positions. In the
business world, a background check can determine the level of trust the business places in the candidate. People being
considered for security positions should expect to be subjected to a moderately high-level background check. Those
considering careers in law enforcement or high-security positions may even be required to submit to polygraph tests.
The following list summarizes various types of background checks and the information checked for each:

Identity checks—Validation of identity and Social Security number

Education and credential checks—Validation of institutions attended, degrees and certifications earned, and
certification status
Previous employment verification—Validation of where candidates worked, why they left, what they did, and
for how long
Reference checks—Validation of references and integrity of reference sources
Social media review—Possible review of social media activity for evidence of inappropriate or unprofessional
actions
Worker’s compensation history—Investigation of claims from worker’s compensation
Motor vehicle records—Investigation of driving records, suspensions, and DUIs
Drug history—Screening for drugs and drug usage, past and present
Credit history—Investigation of credit problems, financial problems, and bankruptcy
Civil court history—Investigation of the candidate’s involvement as a plaintiff or defendant in civil suits
Criminal court history—Investigation of criminal background, arrests, convictions, and time served

As mentioned, there are federal regulations for the use of personal information in employment practices, including
the Fair Credit Reporting Act (FCRA), which governs the activities of consumer credit reporting agencies and the uses
of information procured from them.37 These credit reports generally contain information about a job candidate’s credit
history, employment history, and other personal data.
Among other things, the FCRA prohibits employers from obtaining credit reports unless the candidate is informed
in writing that such a report will be requested as part of the employment process. The FCRA also allows the candidate
 Module 7 Security and Personnel 285

to request information about the nature and type of reporting used in making the employment decision, and sub-
sequently enables the candidate to learn the content of these reports. The FCRA also restricts the periods of time
these reports can address. If the candidate earns less than $75,000 per year, the report can contain only seven years
of negative credit information. If the candidate earns $75,000 or more per year, there is no time limitation. Note that
“any person who knowingly and willfully obtains information on a consumer from a consumer reporting agency under
false pretenses shall be fined under Title 18, United States Code, imprisoned for not more than two years, or both.”38

Employment Contracts
Once a candidate has accepted a job offer, the employment contract becomes an important security instrument. Many of
the policies discussed in Module 3—specifically, the fair and responsible use policies—require an employee to agree in
writing to monitoring and nondisclosure agreements. If existing employees refuse to sign these agreements, security per-
sonnel are placed in a difficult situation. They may not be able to force employees to sign or to deny employees access
to the systems necessary to perform their duties. With new employees, however, security personnel are in a different
situation because the procedural step of policy acknowledgment can be made a requirement of employment. Policies
that govern employee behavior and are applied to all employees may be classified as “employment contingent upon
agreement.” This classification means the potential employee must agree in a written affidavit to conform with binding
organizational policies before being hired. Some organizations choose to execute the remainder of the employment
contract after the candidate has signed the security agreements. Although this may seem harsh, it is a necessary com-
ponent of the security process. Employment contracts may also contain restrictive clauses regarding the creation and
ownership of intellectual property while the candidate is employed by the organization. These provisions may require
the employee to actively protect the organization’s information assets—especially assets that are critical to security.

Most of us are not attorneys, but we should know some basic business law. If you want to know more about
i employment contracts, you can visit Monster.com to read the article “What to Know Before Signing an Employ-
ment Contract” at www.monster.com/career-advice/article/employment-contract-guide.

New Hire Orientation

When new employees are introduced into the organization’s culture and workflow, they should receive an extensive
information security briefing as part of their employee orientation. All major policies should be explained, along with
procedures for performing necessary security operations and the new position’s other information security require-
ments. In addition, the levels of authorized access should be outlined for new employees, and training should be
provided regarding the secure use of information systems. By the time new employees are ready to report to their
positions, they should be thoroughly briefed on the security components of their particular jobs and on the rights and
responsibilities of all personnel in the organization.

On-the-Job Security Training

The organization should integrate the security awareness education described in Module 3 into a new hire’s job
orientation and make it a part of every employee’s on-the-job security training. Keeping security at the forefront of
employees’ minds helps minimize their mistakes and is therefore an important part of the information security team’s
mission. Formal external and informal internal seminars should also be used to increase the security awareness of
employees, especially that of security employees. An example of the importance of proper security training awareness
for employees can be found in The 9/11 Commission Report, a U.S. congressional examination published three years
after the terrorist attacks of September 11, 2001. As the following excerpt shows, security investigators reviewed vid-
eotapes from security checkpoints in airports as the terrorists were passing through and found the security process
inadequate not from a technological standpoint but from human shortcomings:
When the local civil aviation security office of the Federal Aviation Administration (FAA) later
investigated these security screening operations, the screeners recalled nothing out of the ordinary.
They could not recall that any of the passengers they screened were CAPPS (computer-assisted
passenger prescreening system) selectees. We asked a screening expert to review the videotape of the
286 Principles of Information Security

hand-wanding, and he found the quality of the screener’s work to have been “marginal at best.” The
screener should have “resolved” what set off the alarm, and in the case of both Moqed and Hazmi, it
was clear that he did not.39

This excerpt illustrates how physical security depends on the human element. The maintenance of information
security depends heavily on the consistent vigilance of people. In many information security breaches, the hardware
and software usually accomplished what they were designed to do, but people failed to make the correct decisions
and follow-up choices. Education and regular training of employees and authorized users are important elements of
information security and therefore cannot be ignored.

Evaluating Performance
To heighten information security awareness and minimize risky workplace behavior, organizations should incorporate
information security into employee performance evaluations. For example, if employees have been observed keeping
system passwords on notes stuck to their monitors, they should be warned. If such behavior continues, they should
be reminded of their failure to comply with the organization’s information security regulations during their annual
performance review. In general, employees pay close attention to job performance evaluations and are more likely to
take information security seriously if violations are documented in them.

Termination
Leaving the organization may or may not be a decision made by the employee. Organizations may downsize, be bought
out or taken over, shut down, or go out of business. They may be forced to lay off, fire, or relocate their workforce. In
any event, when an employee leaves an organization, several security issues arise. Key among these is the continuity
of protection of all information to which the employee had access. Therefore, when an employee prepares to leave an
organization, the following tasks must be performed:

Access to the organization’s systems must be disabled.

Removable media must be returned.
Hard drives must be secured.
File cabinet locks must be changed.
Office door locks must be changed.
Keycard access must be revoked.
Personal effects must be removed from the organization’s premises.
After the employee has delivered keys, keycards, and other business property, he or she should be escorted from
the premises.
In addition to the tasks just listed, many organizations use an exit interview
exit interview to remind the employee of contractual obligations, such as nondisclosure agree-
A meeting with an employee who is ments, and to obtain feedback about the employee’s tenure in the organization. At the
leaving the organization to remind interview, the employee should be reminded that failure to comply with contractual
the employee of contractual obliga-
obligations could lead to civil or criminal action.
tions, such as nondisclosure agree-
ments, and to obtain feedback In reality, most employees are allowed to clean out their own offices and collect
about the employee’s tenure. their personal belongings, and are simply asked to return their keys. From a security
standpoint, these procedures are risky and lax because they expose the organization’s
information to disclosure and theft. To minimize such risks, an organization should have security-minded termination
procedures that are followed consistently. In other words, the procedures should be followed regardless of the level of trust
the organization had for the employee. However, a universally consistent approach is difficult and sometimes awkward to
implement, which is why it’s not often applied. Given the realities of workplaces, the simplest and best method for handling
a departing employee may be to select one of the following scenarios, based on the employee’s reasons for leaving.

Hostile Departures
Hostile departures include termination for cause, permanent downsizing, temporary layoffs, and quitting in some
instances. While the employee may not seem overly hostile, the unexpected termination of employment can prompt
the person to lash out against the organization.
 Module 7 Security and Personnel 287

Before employees know they are leaving, or as soon as the hostile resignation is tendered, the security staff should
terminate all logical and keycard access. In the case of involuntary terminations, the employee should be escorted
into the supervisor’s office for the bad news. Upon receiving the termination notice or tendering a hostile resignation,
the employee should be escorted to his office or cubicle and allowed to collect personal effects. No organizational
property can be taken from the premises, including pens, papers, and books, as well as portable digital media like CDs,
DVDs, and memory devices. Regardless of the claim the employee makes on organizational property, he should not be
allowed to take it from the premises. If the employee has property he strongly wants to retain, he should be informed
that he can submit a written list of the items and the reasons he should be allowed to retain them. After the employee’s
personal property has been gathered, he should be asked to surrender all company property, such as keys, keycards,
other organizational identification, physical access devices, PDAs, pagers, cell phones, and portable computers. The
employee should then be escorted out of the building.

Friendly Departures
Friendly departures include resignation, retirement, promotion, or relocation. In such cases, the employee may have
tendered notice well in advance of the actual departure date. This scenario actually makes it more difficult for the security
team to maintain positive control over the employee’s access and information usage. Employee accounts are usually
allowed to continue to exist, though an expiration date can be set for the employee’s declared date of departure. Another
complication associated with friendly departures is that the employees can come and go at will until their departure
date, which means they will probably collect their own belongings and leave under their own recognizance. As with
hostile departures, employees should be asked to drop off all organizational property on their way out for the final time.
For either type of departure, hostile or friendly, the offices and information used by the employee must be inventoried,
files must be stored or destroyed, and all property must be returned to organizational stores. In either scenario, employees
might foresee their departure well in advance and start taking home organizational information such as files, reports, and
data from databases, perhaps thinking such items could be valuable in their future employment. This may be impossible
to prevent. Only by scrutinizing systems logs after the employee has departed and sorting out authorized actions from sys-
tems misuse or information theft can the organization determine if a breach of policy or loss of information has occurred.
If information is illegally copied or stolen, the action should be declared an incident and the appropriate policy followed.

Personnel Control Strategies

Among internal control strategies, separation of duties is a cornerstone in the
separation of duties
protection of information assets and the prevention of financial loss. Separation
The principle that requires
of duties is used to reduce the chance that an employee will violate information significant tasks to be split up so
security and breach the confidentiality, integrity, or availability of information. that more than one employee is
The control stipulates that the completion of a significant task involving sensitive required to complete them.

information requires at least two people. The idea behind this separation is that if
only one person has authorization to access a particular set of information, there may be nothing the organization
can do to prevent the person from copying the information and removing it from the premises. Separation of
duties is especially important, and thus commonly implemented, when financial information must be protected.
For example, consider that two people are required to issue a cashier’s check at a bank. The first is authorized to
prepare the check, acquire the numbered financial document, and ready the check for signature. The process then
requires a second person, usually a supervisor, to sign the check. Only then can the check be issued. If one person
had the authority to perform both functions, he could write a number of checks, sign them, and steal large sums
from the bank.
The same level of control should be applied to critical data. One programmer updates the system, and a supervi-
sor or coworker accesses the file location in which the updates are stored. Or, one
employee can be authorized to run backups to the system, and another can install
and remove the physical media.
two-person control
The organization of a task or pro-
A similar concept is known as two-person control, in which two employees
cess so that at least two employees
review and approve each other’s work. This concept is distinct from separation of must work together to complete it.
duties, in which the two people work in sequence. In two-person control, each person Also known as dual control.
288 Principles of Information Security

Two-person control

Team members review

each other’s work

Separation of duties

Work is divided up.

Each team member
performs only his or her
portion of the task sequence

Figure 7-7 Internal control strategies

Source: This figure has multiple sources. Top left: © Rawpixel.com/Shutterstock.com. Bottom left: © Goodluz/
Shutterstock.com. Top right: © imtmphoto/Shutterstock.com. Bottom right: © EdBockStock/Shutterstock.com.

completely finishes the necessary work and then submits it to the other coworker. Each coworker then examines
the work performed, double-checking to make sure no errors or inconsistencies exist. Figure 7-7 illustrates these
operations.
Another control used to prevent personnel from misusing information assets is
job rotation job rotation (or task rotation). If one employee cannot feasibly learn the entire job
The requirement that every of another, the organization should at least try to ensure that multiple employees on
employee be able to perform the staff can perform each critical task. Such job or task rotations can greatly increase
work of another employee.
the chance that an employee’s misuse of the system or abuse of information will be
detected by another. They also ensure that no one employee performs actions that
task rotation cannot be physically audited by another employee. In general, this method makes
The requirement that all critical good business sense. One threat to information is the organization’s inability to have
tasks can be performed by multiple
employees. multiple employees who can perform the same task in case one employee is unable to
perform his or her normal duties. If everyone knows at least part of another worker’s
job, the organization can survive the loss of any one employee.
This leads to a control measure that may seem surprising: mandatory vacations. Why should a company require
its employees to take vacations? A mandatory vacation of at least one week gives the organization the ability to
audit the work of an employee. People who are stealing from the organization or otherwise misusing information or
systems are generally reluctant to take vacations, for fear that their actions will be detected. Therefore, all employees
should be required to take a vacation so their jobs can be audited. This is not meant to imply that employees are
untrustworthy but to show how organizations must be creative with the control measures they apply and even consider
the security situation as a potential attacker would. The mandatory vacation policy is effective because it makes
employees consider that they might be caught if they abuse the system. Information security professionals who think
this practice impugns the character of their coworkers should note that some bonding authorities, auditing agencies,
and oversight boards require mandatory vacations for all employees.
A related concept, garden leave, is used by some companies to restrict the flow of proprietary information when
an employee leaves to join a competitor. When this procedure is invoked, an employee is paid salary and benefits after
departure for a period of time, often 15 or 30 days; is not allowed access to the former place of employment; and is
not allowed to report to the new employer yet. The intent is to have employees lose the immediate value of any cur-
rent knowledge about tactical intelligence at the former firm and ensure that the employee’s recollections of specific
details fade. Technically, such employees remain on the payroll of the former company, but they cannot go to work
at their new company yet. The term garden leave comes from the fact that the employee can do little more than stay
home and tend a garden for a while. In some organizations, employees are required to sign a covenant not to compete
 Module 7 Security and Personnel 289

(CNC) or a noncompete clause (NCC), which prevents them from working for a direct competitor within a specified
time frame—usually a few months to several years. This clause is designed to minimize the loss of intellectual property
when employees change jobs.

You can learn more about the intricacies of garden leave from an article called The Law and Practice of Garden
i Leave: Rights, Duties, Enforcement, and Resistance, which is available from Law Gazette at https://lawgazette.com.sg/
feature/the-law-and-practice-of-garden-leave-rights-duties-enforcement-and-resistance/.

One final control measure is that employees should have access to the minimum need to know
amount of information necessary for them to perform their duties, and only as long The principle of limiting users’
as needed. In other words, there is no need for everyone in the organization to have access privileges to the specific
access to all information. This principle is called need to know. A similar concept information required to perform
their assigned tasks.
is least privilege, in which employees are restricted in their access and use of
information based on their need to know. For example, an HR employee may have the
need to access all employees’ HR files, but may have the least privilege of only being least privilege
The data access principle that
allowed to edit (update) the retirement benefits sections of those files. The whole
ensures no unnecessary access to
purpose of information security is to allow people who need to use system information data exists by regulating members so
to do so without being concerned about its confidentiality, integrity, and availability. they can perform only the minimum
Organizations should keep in mind that everyone who can access data probably will, data manipulation needed; least
privilege implies a need to know.
with potentially serious consequences for the organization’s information security.

Privacy and the Security of Personnel Data

Organizations are required by law to protect employee information that is sensitive or personal, as you learned in
Module 6. This information includes employee addresses, phone numbers, Social Security numbers, medical conditions,
and even names and addresses of family members.
In principle, personnel data is no different from other data that an organization’s information security group must
protect, but a great deal more regulation covers its protection. As a result, information security groups should ensure
that this data receives at least the same level of protection as other important data in the organization, including
intellectual property, strategic planning data, and other business-critical information.

Security Considerations for Temporary Employees,

Consultants, and Other Workers
Temporary employees, contract employees, and other types of workers are not subject to rigorous screening,
contractual obligations, or eventual secured termination, but they often have access to sensitive organizational
information. As outlined in the sections that follow, relationships with workers in these categories should be carefully
managed to prevent a possible information leak or theft.

Temporary Employees
Some employees are hired to serve in a temporary position or to supplement the existing workforce. These employees
do not work for the organization where they perform their duties, but instead are usually paid employees of a temp
agency or organization that provides qualified workers at the paid request of another company. Temps typically
provide secretarial or administrative support and thus may be exposed to a wide range of information. Because they
are not employed by the host organization, they are often not subject to the contractual obligations or general policies
that govern other employees. If temps violate a policy or cause a problem, the strongest action the host organization
can take is to terminate the relationships and request that the temps be censured. The employing agency is under no
contractual obligation to comply, although it may censure the employee to appease an important client.
From a security standpoint, temporary employees’ access to information should be limited to that necessary
for them to perform their duties. The organization can attempt to have temporary employees sign nondisclosure
agreements and fair use policies, but the temp agency may refuse, forcing the host organization to find a new temp
290 Principles of Information Security

agency, go without the assistance of the temp worker, or allow the temp to work without the agreement. This can create
a potentially awkward and dangerous situation, as temporary workers may inadvertently gain access to information
that does not directly relate to their responsibilities. The only way to combat this threat is to ensure that the supervisor
restricts the information to which the temp has access and makes sure all employees follow good security practices,
especially clean desk policies and those for the security of classified data. Temps can provide great benefits to the
host organization, but they should not be employed at the cost of sacrificing information security.

Contract Employees
Contract employees are typically hired to perform specific services for the organization. In such cases, the host com-
pany often makes a contract with a parent organization rather than with an individual employee for a particular task.
Typical contract employees include groundskeepers, maintenance workers, electrical contractors, mechanical service
contractors, and other service and repair workers. Although some contract workers may require access to virtually
all areas of the organization to do their jobs, they seldom need access to information or information resources, except
when the organization has leased computing equipment or contracted with a disaster recovery service. Contract
employees may also need access to various facilities, but this does not mean they should be allowed to wander freely
in and out of buildings. For the organization to maintain a secure facility, all contract employees should be escorted
from room to room, as well as into and out of the facility. When contract employees report for maintenance or repair
services, security personnel should first verify that these services are actually scheduled or approved. As indicated in
earlier modules, attackers have been known to dress up as telephone repairmen, maintenance technicians, or janitors
to gain physical access to a building. Therefore, direct supervision of contract employees is a necessity.
Another necessary aspect of hiring contract employees is making certain that restrictions or requirements are
negotiated into the contract agreements before they are activated. For example, regulations like the following should
be negotiated well in advance: The facility requires 24 to 48 hours’ notice of a maintenance visit, the facility requires all
on-site personnel to undergo background checks, and the facility requires advance notice for cancellation or resched-
uling of a maintenance visit.

Consultants
Sometimes, on-site contracted workers are self-employed or are employees of an organization hired for a specific,
one-time purpose. These workers are typically referred to as consultants, and they have their own security require-
ments and contractual obligations. Contracts for consultants should specify all requirements for information or facility
access before the consultants are allowed into the workplace. Security and technology consultants in particular must
be prescreened, escorted through work areas, and subjected to nondisclosure agreements to protect the organiza-
tion from possible breaches of confidentiality. It is human nature (and a trait often found among consultants) to brag
about the complexity of a particular job or an outstanding service provided to another client. If the organization does
not want the consultant to mention their working relationship or to disclose any details about a particular system
configuration, the organization must write these restrictions into the contract. Consultants typically request permis-
sion to present work samples to other companies as part of their résumés, but a client organization is not obligated
to grant this permission and can even explicitly deny permission in writing. Organizations should also remember that
just because they are paying an information security consultant, the protection of their information doesn’t become
the consultant’s top priority.

Business Partners
On occasion, businesses create strategic alliances with other organizations that want to exchange information, inte-
grate systems, or simply discuss operations for mutual advantage. In these situations, a prior business agreement is
needed to specify the level of exposure both organizations are willing to tolerate. Sometimes, one division of a com-
pany enters a strategic partnership with an organization that directly competes with another of the company’s own
divisions. If the strategic partnership evolves into an integration of both companies’ systems, competing groups might
exchange information that neither parent organization expected to share. As a result, both organizations must make a
meticulous, deliberate determination of what information is to be exchanged, in what format, and with whom. Nondis-
closure agreements must be in place. Also, the security levels of both systems must be examined before any physical
integration takes place—once systems are connected, the vulnerability of one system becomes the vulnerability of all.
 Module 7 Security and Personnel 291

Closing Scenario
After her meeting with Charlie, Iris returned to her office. When she had completed her daily assignments, she began to make
some notes about the information security position Charlie had offered her.

Discussion Questions
1. What questions should Iris ask Charlie about the future of the information security unit at the company?
2. What questions should Iris ask Kelvin about the job for which she is being considered?

Ethical Decision Making

Suppose that Iris and Kelvin are involved in a romantic relationship, unknown to anyone else in the company. Romantic
relationships between employees are not against company policy, but married employees are specifically prohibited from
being in a direct reporting relationship with each other.
1. Should Iris inform Charlie about her relationship with Kelvin if she does not plan to apply for the transfer?
2. If Iris does apply for the job but has no current plans for marriage, should she inform Charlie of her relationship?

Selected Readings
There are many excellent sources of additional information in the area of information security. A few that can add to your
understanding of this module are listed here:

• Information Security Roles and Responsibilities Made Easy, Version 3, by Charles Cresson Wood. 2012. Information Shield.
• Management of Information Security, 6th Edition, by Michael E. Whitman and Herbert J. Mattord. 2019. Cengage Learning.

Module Summary
Where to place the information security function within the organization is a key decision. The most popular
options involve placing information security within IT or the physical security function. Organizations search-
ing for a rational compromise should place the information security function where it can balance its need to
enforce company policy with its need to deliver service to the entire organization.
The selection of information security personnel is based on several criteria, not all of which are within the control
of the organization. In most cases, organizations look for a technically qualified information security generalist
with a solid understanding of how an organization operates. The following attributes are also desirable:
❍ An attitude that information security is usually a management problem, not an exclusively technical problem

❍ Good people skills, communication skills, writing skills, and a tolerance for users

❍ An understanding of the role of policy in guiding security efforts

❍ An understanding of the role of education and training in making users part of the solution

❍ An understanding of the threats facing an organization, how they can become attacks, and how to protect

the organization from information security attacks

❍ A working knowledge of many common technologies and a general familiarity with most mainstream IT

technologies
Many information security professionals enter the field through one of two career paths: via law enforcement
or the military, or from other professions related to technical information systems. In recent years, college
students have been able to take courses that prepare them to enter the information security workforce directly.
292 Principles of Information Security

During the hiring process for an information security position, an organization should use standard job descrip-
tions to increase the degree of professionalism among applicants and to make sure the position’s roles and
responsibilities are consistent with those of similar positions in other organizations. Studies of information
security positions have found that they can be classified into one of three areas: those that define, those that
build, and those that administer.
When filling information security positions, many organizations indicate the level of proficiency required for
the job by specifying that candidates have recognizable certifications. Some of the more popular certifications
are the following:
❍ The (ISC) family of certifications, including the Certified Information Systems Security Professional (CISSP),
2

a number of specialized CISSP certifications, the Systems Security Certified Practitioner (SSCP), the Associ-
ate of (ISC)2, and several other specialized certifications
❍ The ISACA family of certifications, including the Certified Information Security Manager (CISM), the Certified

Information Systems Auditor (CISA), and several other specialized certifications

❍ The Global Information Assurance Certification (GIAC) family of certifications, including the GIAC Informa-

tion Security Professional and the GIAC Security Leadership Certification

❍ CompTIA’s Security+ and EC-Council’s CCISO

The general management community of interest should integrate information security concepts into the orga-
nization’s employment policies and practices. Areas in which information security should be a consideration
include employment contracts, new hire orientation, performance evaluation, termination, and hiring. The
hiring process includes job descriptions, interviews, and background checks.
Separation of duties is a control used to reduce the chance of any person violating information security and
breaching the confidentiality, integrity, or availability of information. According to the principle behind this
control, any major task that involves sensitive information should require two people to complete.
Organizations may need the special services of temporary employees, contract employees, consultants, and
business partners, but these relationships should be carefully managed to prevent information leaks or theft.

Review Questions
1. What member of an organization should decide
where the information security function belongs
within the organizational structure? Why?
2. List and describe the options for placing informa-
tion security within the organization.
3. For each major information security job title cov-
ered in the module, list and describe the key qualifi-
cations and requirements for the position.
4. What factors influence an organization’s decisions
to hire information security professionals?
5. Prioritize the list of general attributes that orga-
nizations seek when hiring information security
professionals. In other words, list the most impor-
tant attributes first. Use the list you developed to
answer the previous review question.
6. What are critical considerations when dismissing
an employee? Do they change according to whether
the departure is friendly or hostile, or according to
which position the employee is leaving?
7. How do security considerations for temporary or
contract employees differ from those for regular
full-time employees?
8. What career paths do most experienced profession-
als take when moving into information security?
Are other pathways available? If so, describe them.
9. Why is it important to use specific and clearly
defined job descriptions for hiring information
security professionals?
10. What functions does the CISO perform?
11. What functions does the security manager
perform?
12. What functions does the security analyst perform?
13. What rationale should an aspiring information
security professional use in acquiring professional
credentials?
14. List some of the information security certifications
mentioned in this module.
15. Discuss the financial costs of certification. How
expensive is the process?
16. List and describe the standard personnel policies
and practices that are part of the information
security function.
17. Why shouldn’t an organization give a job candidate
a tour of secure areas during an interview?
 Module 7 Security and Personnel 293

18. List and describe the typical relationships that
organizations have with temporary employees,
contract employees, consultants, and business
partners. What special security precautions must
an organization consider for such workers, and why
are they significant?
19. What is separation of duties? How can it be used
to improve an organization’s information security
practices?
20. What is job rotation, and what benefits does it offer
an organization?

Exercises
1. Search your library’s database and the Web
for an article about people who violate their
organization’s policy and are terminated. Did you
find many? Why or why not?
2. Go to the (ISC)2 Web site at www.isc2.org. Research
the knowledge areas included in the tests for the
CISSP and SSCP certifications. What areas must you
study that are not included in this book?
3. Using the Web, identify some certifications with
an information security component that were not
discussed in this module.
4. Search the Web for at least five job postings for a
security analyst. What qualifications do the listings
have in common?
5. Search the Web for three different employee hiring
and termination policies. Review each and look
carefully for inconsistencies. Do each of the policies
have sections that address information security
requirements? What clauses should a termination
policy contain to prevent disclosure of an
organization’s information? Create your own version
of either a hiring policy or a termination policy.

References
1. (ISC)2. Strategies for Building and Growing Strong Cybersecurity Teams. (ISC)2 Cybersecurity Workforce
Study. 2019. Accessed November 4, 2020, from www.isc2.org/-/media/ISC2/Research/2019-Cybersecurity-
Workforce-Study/ISC2-Cybersecurity-Workforce-Study-2019.ashx.
2. Hayes, M. “Where the Chief Security Officer Belongs.” InformationWeek. February 22, 2002. Accessed
November 1, 2020, from www.informationweek.com/where-the-chief-securityofficer-belongs/d/d-id/1013832?.
3. Kosutic, D. “Chief Information Security Officer (CISO)—Where Does He Belong in an Org
Chart?” Accessed November 1, 2020, from http://blog.iso27001standard.com/2012/09/11/
chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/.
4. Hunt, Steve. “The CISO in 2010 Still Touches Technology.” CSO Magazine. July 2004.
5. Wood, Charles Cresson. Information Security Roles and Responsibilities Made Easy.
Version 3. Accessed November 1, 2020, from https://informationshield.com/products/
information-security-roles-and-responsibilities-made-easy/.
6. Kennesaw State University Center for Information Security Education (CISE) and Security Executive Coun-
cil (SEC). 2015 SEC/CISE Threats to Information Protection Report. Accessed November 1, 2020, from
www.securityexecutivecouncil.com/spotlight/?sid=29185.
7. Bureau of Labor Statistics. BLS Occupational Outlook Handbook for Information Security Analysts.
Accessed November 1, 2020, from www.bls.gov/ooh/computer-and-information-technology/information-
security-analysts.htm.
8. (ISC)2. Strategies for Building and Growing Strong Cybersecurity Teams. (ISC)2 Cybersecurity Workforce
Study, 2019. Accessed November 4, 2020, from www.isc2.org/-/media/ISC2/Research/2019-Cybersecurity-
Workforce-Study/ISC2-Cybersecurity-Workforce-Study-2019.ashx.
9. Ibid.
10. Ibid.
11. Wood, Charles Cresson. Information Security Roles and Responsibilities Made Easy. Version 3. Accessed
November 1, 2020, from https://informationshield.com/products/information-security-roles-and-
responsibilities-made-easy/.
294 Principles of Information Security

12. Schwartz, E., Erwin, D., Toner, A., Weafer, V., and Briney, A. “Roundtable: Info-Sec Staffing Help Wanted!”
Information Security Magazine. April 2001.
13. “Wisconsin Jobs: Chief Information Security Officer.” Accessed October 10, 2016, from http://wiscjobs
.state.wi.us/PUBLIC/print_view.asp?jobid=64037&annoid=64522. Note that this link was disabled after the
job was filled.
14. Security Jobs Network, Inc. “Sample Job Descriptions: Director of Security.” Security Jobs Network,
Inc. Online. Accessed October 10, 2016, from securityjobs.net/documents/Director%20of%20Security%20
Position,%20Cox.html. Note that this link was disabled after the job was filled.
15. IT Security Jobs. “IT Security Vacancies.” SSR Personnel Online. July 22, 2002. Accessed July 5, 2007, from
www.ssr-personnel.com/ucs/vacancies/IT%20Security.htm. Note that this link was disabled after the job was
filled.
16. IT Security Jobs. “623873—Firewall Engineering Consultant.” SSR Personnel Online. July 16, 2002.
Accessed July 5, 2007, from www.itsecurityjobs.com/vacancies.htm. Note that this link was disabled after
the job was filled.
17. (ISC)2. “CISSP Information.” Accessed November 4, 2020, from www.isc2.org/Certifications/CISSP.
18. (ISC)2. “CISSP Concentrations.” Accessed November 4, 2020, from www.isc2.org/Certifications/
CISSP-Concentrations.
19. (ISC)2. “SSCP.” Accessed November 4, 2020, from www.isc2.org/Certifications/SSCP.
20. Ibid.
21. (ISC)2. “CSSLP.” Accessed November 4, 2020, from www.isc2.org/Certifications/CSSLP.
22. (ISC)2. “CAP.” Accessed November 4, 2020, from www.isc2.org/Certifications/CAP.
23. (ISC)2. “HCISPP.” Accessed November 4, 2020, from www.isc2.org/Certifications/HCISPP.
24. ISACA. “CISM.” Accessed November 5, 2020, from www.isaca.org/credentialing/cism/cism-job-practice-areas.
25. ISACA. “CISA.” Accessed November 5, 2020, from www.isaca.org/credentialing/cisa/cisa-job-practice-areas.
26. ISACA. “CRISC.” Accessed November 5, 2020, from www.isaca.org/credentialing/crisc/
crisc-job-practice-areas.
27. ISACA. “CGEIT.” Accessed November 5, 2020, from www.isaca.org/credentialing/cgeit/
cgeit-exam-content-outline.
28. ISACA. “CDPSE.” Accessed November 5, 2020, from www.isaca.org/credentialing/
certified-data-privacy-solutions-engineer/cdpse-exam-content-outline.
29. GIAC. “Get Certified: Roadmap.” Accessed November 5, 2020, from www.giac.org/certifications/
get-certified/roadmap.
30. EC-Council. “Certified Chief Information Security Officer.” Accessed November 5, 2020, from
https://ciso.eccouncil.org/wp-content/uploads/2020/01/CCISO-v3-Courseware-Table-of-Contents-1.pdf.
31. EC-Council. “About the EISM Program.” Accessed November 5, 2020, from https://ciso.eccouncil.org/
cciso-certification/eism-program/.
32. CompTIA. Security+ “Exam Details.” Accessed November 7, 2020, from www.comptia.org/certifications/
security#examdetails.
33. CompTIA. CySA+ “Exam Details.” Accessed November 7, 2020, from www.comptia.org/certifications/
cybersecurity-analyst#examdetails.
34. CompTIA. PenTest+ “Exam Details.” Accessed November 7, 2020, from www.comptia.org/certifications/
pentest#examdetails.
35. CompTIA. CASP+ “Exam Details.” Accessed November 7, 2020, from www.comptia.org/certifications/
comptia-advanced-security-practitioner#examdetails.
36. Wood, Charles Cresson. Information Security Roles and Responsibilities Made Easy. 2012. Houston, TX:
Information Shield Corporation, 577.
37. Background Check International, LLC. “BCI.” BCI Online. Accessed November 7, 2020, from www.bcint.com.
38. Federal Trade Commission. Fair Credit Reporting Act. 2002. 15 U.S.C., S. 1681 et seq. Accessed November
7, 2020, from www.ftc.gov/enforcement/statutes/fair-credit-reporting-act.
39. U.S. Congress. September 11th Commission Final Report. July 2004.