Principles of Information

Security,
Fourth Edition
Chapter 11
Personnel and Security
 Learning Objectives
• Upon completion of this material, you should be
able to:
– Describe where and how the information security
function is positioned within organizations
– Explain the issues and concerns related to staffing
the information security function
– Enumerate the credentials that information security
professionals can earn to gain recognition in the field
– Illustrate how an organization’s employment policies
and practices can support the information security
effort
Principles of Information Security, Fourth Edition 2
 Learning Objectives (cont’d.)
– Identify the special security precautions that must be
taken when using contract workers
– Explain the need for the separation of duties
– Describe the special requirements needed to ensure
the privacy of personnel data

Principles of Information Security, Fourth Edition 3

 Introduction
• When implementing information security, there are
many human resource issues that must be
addressed
– Positioning and naming
– Staffing
– Evaluating impact of information security across every
role in IT function
– Integrating solid information security concepts into
personnel practices
• Employees often feel threatened when the
information security program is being updated
Principles of Information Security, Fourth Edition 4
 Positioning and Staffing the Security
Function
• The security function can be placed within:
– IT function
– Physical security function
– Administrative services function
– Insurance and risk management function
– Legal department
• Organizations balance needs of enforcement with
needs for education, training, awareness, and
customer service

Principles of Information Security, Fourth Edition 5

 Staffing the Information Security
Function
• Selecting personnel is based on many criteria,
including supply and demand
• Many professionals enter security market by
gaining skills, experience, and credentials
• At present, information security industry is in a
period of high demand

Principles of Information Security, Fourth Edition 6

 Staffing the Information Security
Function (cont’d.)
• Qualifications and requirements
– The following factors must be addressed:
• General management should learn more about skills
and qualifications for positions
• Upper management should learn about budgetary
needs of information security function
• IT and general management must learn more about
level of influence and prestige the information security
function should be given to be effective
– Organizations typically look for technically qualified
information security generalist

Principles of Information Security, Fourth Edition 7

 Staffing the Information Security
Function (cont’d.)
• Qualifications and requirements (cont’d.)
– Organizations look for information security
professionals who understand:
• How an organization operates at all levels
• Information security is usually a management
problem, not a technical problem
• Strong communications and writing skills
• The role of policy in guiding security efforts

Principles of Information Security, Fourth Edition 8

 Staffing the Information Security
Function (cont’d.)
• Qualifications and requirements (cont’d.)
– Organizations look for information security
professionals who understand (cont’d.):
• Most mainstream IT technologies
• The terminology of IT and information security
• Threats facing an organization and how they can
become attacks
• How to protect organization’s assets from information
security attacks
• How business solutions can be applied to solve
specific information security problems

Principles of Information Security, Fourth Edition 9

 Staffing the Information Security
Function (cont’d.)
• Entry into the information security profession
– Many information security professionals enter the
field through one of two career paths:
• Law enforcement and military
• Technical, working on security applications and
processes
– Today, students select and tailor degree programs to
prepare for work in information security
– Organizations can foster greater professionalism by
matching candidates to clearly defined expectations
and position descriptions
Principles of Information Security, Fourth Edition 10
 Figure 11-1 Career Paths to Information
Security Positions

Principles of Information Security, Fourth Edition 11

 Staffing the Information Security
Function (cont’d.)
• Information security positions
– Use of standard job descriptions can increase
degree of professionalism and improve the
consistency of roles and responsibilities between
organizations
– Charles Cresson Wood’s book, Information Security
Roles and Responsibilities Made Easy: offers set of
model job descriptions

Principles of Information Security, Fourth Edition 12

 Figure 11-2 Positions in Information Security

Principles of Information Security, Fourth Edition 13

 Staffing the Information Security
Function (cont’d.)
• Chief Information Security Officer (CISO or CSO)
– Top information security position; frequently reports
to Chief Information Officer (CIO)
– Manages the overall information security program
– Drafts or approves information security policies
– Works with the CIO on strategic plans

Principles of Information Security, Fourth Edition 14

 Staffing the Information Security
Function (cont’d.)
• Chief Information Security Officer (CISO or CSO)
(cont’d.)
– Develops information security budgets
– Sets priorities for information security projects and
technology
– Makes recruiting, hiring, and firing decisions or
recommendations
– Acts as spokesperson for information security team
– Typical qualifications: accreditation, graduate
degree, experience

Principles of Information Security, Fourth Edition 15

 Staffing the Information Security
Function (cont’d.)
• Security manager
– Accountable for day-to-day operation of information
security program
– Accomplish objectives as identified by CISO
– Typical qualifications: not uncommon to have
accreditation; ability to draft middle- and lower-level
policies; standards and guidelines; budgeting,
project management, and hiring and firing; manage
technicians

Principles of Information Security, Fourth Edition 16

 Staffing the Information Security
Function (cont’d.)
• Security technician
– Technically qualified individuals tasked to configure
security hardware and software
– Tend to be specialized
– Typical qualifications:
• Varied; organizations prefer expert, certified, proficient
technician
• Some experience with a particular hardware and
software package
• Actual experience in using a technology usually
required

Principles of Information Security, Fourth Edition 17

 Credentials of Information Security
Professionals
• Many organizations seek recognizable
certifications
• Most existing certifications are relatively new and
not fully understood by hiring organizations

Principles of Information Security, Fourth Edition 18

 Certifications
• (ISC)2 Certifications
– Certified Information Systems Security Professional
(CISSP)
– Systems Security Certified Practitioner (SSCP)
– Associate of (ISC)2
– Certification and Accreditation Professional (CAP)
• ISACA Certifications
– Certified Information Systems Auditor (CISA)
– Certified Information Security Manager (CISM)

Principles of Information Security, Fourth Edition 19

 Certifications (cont’d.)
• SANS Global Information Assurance Certification
(GIAC)
• Security Certified Program (SCP)
• CompTIA’s Security+
• Certified Computer Examiner (CCE)
• Related Certifications
– Prosoft
– RSA Security
– CheckPoint
– Cisco
Principles of Information Security, Fourth Edition 20
 Certification Costs
• Better certifications can be very expensive
• Even experienced professionals find it difficult to take
an exam without some preparation
• Many candidates teach themselves through trade
press books; others prefer structure of formal training
• Before attempting a certification exam, do all
homework and review exam criteria, its purpose, and
requirements in order to ensure that the time and
energy spent pursuing certification are well spent

Principles of Information Security, Fourth Edition 21

 Figure 11-3 Preparing for Security Certification

Principles of Information Security, Fourth Edition 22

 Advice for Information Security
Professionals
• Always remember: business before technology
• Technology provides elegant solutions for some
problems, but adds to difficulties for others
• Never lose sight of goal: protection
• Be heard and not seen
• Know more than you say; be more skillful than you
let on
• Speak to users, not at them
• Your education is never complete

Principles of Information Security, Fourth Edition 23

 Employment Policies and Practices
• Management community of interest should
integrate solid information security concepts into
organization’s employment policies and practices
• Organization should make information security a
documented part of every employee’s job
description

Principles of Information Security, Fourth Edition 24

 Employment Policies and Practices
(cont’d.)
• From information security perspective, hiring of
employees is a responsibility laden with potential
security pitfalls
• CISO and information security manager should
provide human resources with information security
input to personnel hiring guidelines

Principles of Information Security, Fourth Edition 25

 Figure 11-4 Hiring Issues

Principles of Information Security, Fourth Edition 26

 Job Descriptions
• Integrating information security perspectives into
hiring process begins with reviewing and updating
all job descriptions
• Organization should avoid revealing access
privileges to prospective employees when
advertising open positions

Principles of Information Security, Fourth Edition 27

 Interviews
• An opening within the information security
department creates a unique opportunity for the
security manager to educate HR on certifications,
experience, and qualifications of a good candidate
• Information security should advise HR to limit
information provided to the candidate on the
responsibilities and access rights the new hire
would have
• For organizations that include on-site visits as part
of interviews, it’s important to use caution when
showing candidate around facility
Principles of Information Security, Fourth Edition 28
 Background Checks
• Investigation into a candidate’s past
• Should be conducted before organization extends
offer to candidate
• Background checks differ in level of detail and
depth with which candidate is examined
• May include identity check, education and
credential check, previous employment verification,
references check, worker’s compensation history,
motor vehicle records, drug history, credit history,
and more

Principles of Information Security, Fourth Edition 29

 Types of Background Checks
• Identity checks: Validation of identity and Social
Security number
• Education and credential checks: Validation of
institutions attended, degrees and certifications
earned, and certification status
• Previous employment verification: Validation of
where candidates worked, why they left, what they
did, and for how long
• Reference checks: Validation of references and
integrity of reference sources

Principles of Information Security, Fourth Edition 30

Types of Background Checks (cont’d.)
• Worker’s compensation history: Investigation of
claims from worker’s compensation
• Motor vehicle records: Investigation of driving
records, suspensions, and DUIs
• Drug history: Screening for drugs and drug usage,
past and present
• Credit history: Investigation of credit problems,
financial problems, and bankruptcy

Principles of Information Security, Fourth Edition 31

Types of Background Checks (cont’d.)
• Civil court history: Investigation of involvement as
the plaintiff or defendant in civil suits
• Criminal court history: Investigation of criminal
background, arrests, convictions, and time served

Principles of Information Security, Fourth Edition 32

 Employment Contracts
• Once a candidate has accepted the job offer,
employment contract becomes important security
instrument
• Many security policies require an employee to
agree in writing
• New employees may find policies classified as
“employment contingent upon agreement,”
whereby employee is not offered the position
unless binding organizational policies are agreed to

Principles of Information Security, Fourth Edition 33

 New Hire Orientation
• New employees should receive extensive
information security briefing on policies,
procedures, and requirements for information
security
• Levels of authorized access are outlined; training
provided on secure use of information systems
• By the time employees start, they should be
thoroughly briefed and ready to perform duties
securely

Principles of Information Security, Fourth Edition 34

 On-the-Job Security Training
• Organization should conduct periodic security
awareness training
• Keeping security at the forefront of employees’
minds and minimizing employee mistakes is an
important part of information security awareness
mission
• External and internal seminars also increase level
of security awareness for all employees,
particularly security employees

Principles of Information Security, Fourth Edition 35

 Evaluating Performance
• Organizations should incorporate information
security components into employee performance
evaluations
• Employees pay close attention to job performance
evaluations
– If evaluations include information security tasks,
employees are more motivated to perform these
tasks at a satisfactory level

Principles of Information Security, Fourth Edition 36

 Termination
• When employee leaves organization, there are a
number of security-related issues
• Key is protection of all information to which
employee had access
• Once cleared, the former employee should be
escorted from premises
• Many organizations use an exit interview to remind
former employee of contractual obligations and to
obtain feedback

Principles of Information Security, Fourth Edition 37

 Termination (cont’d.)
• Hostile departures include termination for cause,
permanent downsizing, temporary lay-off, or some
instances of quitting
– Before employee is aware, all logical and keycard
access is terminated
– Employee collects all belongings and surrenders all
keys, keycards, and other company property
– Employee is then escorted out of the building

Principles of Information Security, Fourth Edition 38

 Termination (cont’d.)
• Friendly departures include resignation, retirement,
promotion, or relocation
– Employee may be notified well in advance of
departure date
– More difficult for security to maintain positive control
over employee’s access and information usage
– Employee access usually continues with new
expiration date
– Employees come and go at will, collect their own
belongings, and leave on their own

Principles of Information Security, Fourth Edition 39

 Termination (cont’d.)
• Offices and information used by the employee must
be inventoried; files stored or destroyed; and
property returned to organizational stores
• Possible that employees foresee departure well in
advance and begin collecting organizational
information for their future employment
• Only by scrutinizing systems logs after employee has
departed can organization determine if there has
been a breach of policy or a loss of information
• If information has been copied or stolen, report an
incident and follow the appropriate policy
Principles of Information Security, Fourth Edition 40
 Security Considerations for
Nonemployees
• Individuals not subject to screening, contractual
obligations, and eventual secured termination often
have access to sensitive organizational information
• Relationships with these individuals should be
carefully managed to prevent possible information
leak or theft

Principles of Information Security, Fourth Edition 41

 Temporary Employees
• Hired by organization to serve in temporary position
or to supplement existing workforce
• Often not subject to contractual obligations or
general policies; if temporary employees breach a
policy or cause a problem, possible actions are
limited
• Access to information for temporary employees
should be limited to that necessary to perform duties
• Temporary employee’s supervisor must restrict the
information to which access is possible

Principles of Information Security, Fourth Edition 42

 Contract Employees
• Typically hired to perform specific services for
organization
• Host company often makes contract with parent
organization rather than with individual for a
particular task
• In secure facility, all contract employees escorted
from room to room, as well as into and out of facility
• There is need for restrictions or requirements to be
negotiated into contract agreements when they are
activated

Principles of Information Security, Fourth Edition 43

 Consultants
• Should be handled like contract employees, with
special requirements for information or facility
access integrated into contract
• Security and technology consultants must be
prescreened, escorted, and subjected to
nondisclosure agreements to protect organization
• Just because security consultant is paid doesn’t
make the protection of organization’s information
the consultant’s number one priority

Principles of Information Security, Fourth Edition 44

 Business Partners
• Businesses find themselves in strategic alliances
with other organizations, desiring to exchange
information or integrate systems
• There must be meticulous, deliberate process of
determining what information is to be exchanged,
in what format, and to whom
• Nondisclosure agreements and the level of security
of both systems must be examined before any
physical integration takes place

Principles of Information Security, Fourth Edition 45

 Internal Control Strategies
• Cornerstone in protection of information assets and
against financial loss
• Separation of duties: control used to reduce
chance of individual violating information security;
stipulates that completion of significant task
requires at least two people
• Collusion: unscrupulous workers conspiring to
commit unauthorized task

Principles of Information Security, Fourth Edition 46

 Internal Control Strategies (cont’d.)
• Two-man control: two individuals review and
approve each other’s work before the task is
categorized as finished
• Job rotation: employees know each others’ job
skills
• Least privilege: ensures that no unnecessary
access to data exists and that only those
individuals who must access the data do so

Principles of Information Security, Fourth Edition 47

 Figure 11-6 Internal Control Strategies

Principles of Information Security, Fourth Edition 48

 Privacy and the Security of Personnel
Data
• Organizations required by law to protect sensitive
or personal employee information
• Includes employee addresses, phone numbers,
Social Security numbers, medical conditions, and
family names and addresses
• This responsibility also extends to customers,
patients, and business relationships

Principles of Information Security, Fourth Edition 49

 Summary
• Positioning the information security function within
organizations
• Issues and concerns about staffing information
security
• Professional credentials of information security
professionals
• Organizational employment policies and practices
related to successful information security

Principles of Information Security, Fourth Edition 50

 Summary (cont’d.)
• Special security precautions for nonemployees
• Separation of duties
• Special requirements needed for the privacy of
personnel data

Principles of Information Security, Fourth Edition 51