This document discusses security and personnel issues related to an information technology security course. It covers positioning the security function within an organization, staffing the security team, and qualifications for security roles. It also addresses how to integrate security practices into human resources policies like hiring, contracting, and training new employees. The overall goal is to successfully implement security while gaining employee acceptance and support.
Power point inglese - educazione civica di Nuria Iuzzolino
Security and personnel
1. TransformingLives. InventingtheFuture. www.iit.edu
I ELLINOIS T UINS TI T
OF TECHNOLOGY
ITM 578 1
Security and Personnel
Ray Trygstad
ITM 578 Section 071
Summer 2003
Master of Information Technology & Management Program
CenterforProfessional Development
Slides based on Whitman, M. and Mattord, H., Principles of InformationSecurity; Thomson Course Technology 2003
2. ITM 578 2
ILLINOIS INSTITUTE OF TECHNOLOGY
Learning Objectives:
Upon completion of this lesson students
should be able to:
– Describe where and how the information
security function is positioned within
organizations
– Discuss issues and concerns about staffing
the information security function
– Describe credentials that professionals in the
information security field can acquire
3. ITM 578 3
ILLINOIS INSTITUTE OF TECHNOLOGY
Learning Objectives:
Upon completion of this lesson students
should be able to:
– Recognize how an organization’s
employment policies and practices can
support the information security effort
– Explain special security precautions
necessary for nonemployees
– Recognize the need for the separation of
duties.
– Describe special requirements needed for
the privacy of personnel data
4. ITM 578 4
ILLINOIS INSTITUTE OF TECHNOLOGY
Introduction
When implementing information security
many human resource issues must be
addressed
1. How to position and name the security function
2. Planning of proper staffing for the information
security function.
3. Understand the impact of information security
across every role in the IT function & adjust job
descriptions and documented practices
accordingly
4. General management must work with IS
professionals to integrate solid information
security concepts into organizational personnel
management practices
5. ITM 578 5
ILLINOIS INSTITUTE OF TECHNOLOGY
Introduction
Understanding impact of change to
personnel management practices of the
organization is important in success of
implementation
Employees often feel threatened when an
organization is creating or enhancing an
overall information security program
Quelling doubts and reassuring employees is
a fundamental part of implementation
It’s important to supply resources to gather
and respond quickly to employee feedback
6. ITM 578 6
ILLINOIS INSTITUTE OF TECHNOLOGY
Security Function Within an Organization’s Structure
The security function can be placed
within the:
– IT function
– Physical security function
– Administrative services function
– Insurance and risk management function
– Legal department
7. ITM 578 7
ILLINOIS INSTITUTE OF TECHNOLOGY
Security Function Within an Organization’s Structure
The challenge is to design a structure
that balances the competing needs of
the communities of interest
Organizations compromise to balance
needs of enforcement with needs for
education, training, awareness, and
customer service
8. ITM 578 8
ILLINOIS INSTITUTE OF TECHNOLOGY
Audit Function of IT Security
Since Information Security has an
important audit function, some feel it
should not be in the IT organization
This is based on the principle that
audit organizations should be
external to the area audited
9. ITM 578 9
ILLINOIS INSTITUTE OF TECHNOLOGY
Staffing the Security Function
Selecting information security
personnel is based on many criteria,
including supply and demand
Many professionals enter the security
market by gaining skills, experience,
and credentials to qualify as new
supply
10. ITM 578 10
ILLINOIS INSTITUTE OF TECHNOLOGY
Staffing The Security Function
Until the new supply reaches the demand
level, organizations must pay higher costs
associated with the current limited
supply
When supply reaches a level at or above
demand, organizations hiring these skills
can become selective so the cost they are
willing to pay drops
Currently the information security
industry is in a period of high demand
11. ITM 578 11
ILLINOIS INSTITUTE OF TECHNOLOGY
Qualifications and Requirements
Issues in information security hiring:
– Management should learn more about
position requirements and qualifications
– Upper management should also learn
more about the budgetary needs of the
information security function
– Management needs to learn more about
the level of influence and prestige the
information security function should be
given in order to be effective
12. ITM 578 12
ILLINOIS INSTITUTE OF TECHNOLOGY
Qualifications and Requirements
Organizations typically look for a
technically-qualified information
security generalist
In the information security discipline,
over-specialization is often a risk and
it is important to balance technical
skills with general information
security knowledge
13. ITM 578 13
ILLINOIS INSTITUTE OF TECHNOLOGY
Hiring Criteria
When hiring infosec professionals,
organizations frequently look for
individuals who understand:
– How an organization operates at all levels
– Information security is usually a management
problem and is seldom an exclusively technical
problem
– People, and have strong communications and
writing skills
– The roles of policy and education and training
14. ITM 578 14
ILLINOIS INSTITUTE OF TECHNOLOGY
More Hiring Criteria
When hiring infosec professionals,
organizations frequently look for
individuals who understand:
– The threats and attacks facing an organization
– How to protect the organization from attacks
– How business solutions can be applied to solve
specific information security problems
– Many of the most common mainstream IT
technologies as generalists
– The terminology of IT and information security
15. ITM 578 15
ILLINOIS INSTITUTE OF TECHNOLOGY
Entry into the Security Profession
Many information security
professionals enter the field through
one of two career paths:
– ex-law enforcement and military
personnel
– technical professionals working on
security applications and processes
Today, students are selecting and
tailoring degree programs to prepare
for work in security
16. ITM 578 16
ILLINOIS INSTITUTE OF TECHNOLOGY
Military and
law enforcement
Securit
y
Security education
Technology
Career Paths to InfoSec
Positions
FIGURE 11-1 Career Paths to Information Security Positions
17. ITM 578 17
ILLINOIS INSTITUTE OF TECHNOLOGY
Entry into the Security Profession
Current perception is that a security
professional must first be a proven
professional in another field of IT
IT professionals moving into information
security often focus on the technology to the
exclusion of general information security
issues
Organizations can foster greater
professionalism in the field through clearly
defined expectations and position
descriptions
18. ITM 578 18
ILLINOIS INSTITUTE OF TECHNOLOGY
Information Security Positions
The use of standard job descriptions
can increase the degree of
professionalism in the information
security field as well as improve the
consistency of roles and
responsibilities between organizations
Organizations that are revising the
roles and responsibilities of InfoSec
staff can consult references
19. ITM 578 19
ILLINOIS INSTITUTE OF TECHNOLOGY
Positions in Information Security
FIGURE 11-2 Positions in Information Security
Chief InformationChief Information
Security Officer CISOSecurity Officer CISO
SecuritySecurity
ConsultantConsultant
SecuritySecurity
AdministratorAdministrator
SecuritySecurity
ManagerManager
SecuritySecurity
OfficerOfficer
SecuritySecurity
TechnicianTechnician
20. ITM 578 20
ILLINOIS INSTITUTE OF TECHNOLOGY
InfoSec Staffing Help Wanted
Definers provide the policies,
guidelines, and standards
Builders are the real techies, who
create and install security solutions
Operators run and administer the
security tools, perform security
monitoring, and continuously improve
processes
21. ITM 578 21
ILLINOIS INSTITUTE OF TECHNOLOGY
Chief Information Security Officer
Top information security position in the
organization
– Not usually an executive
– Frequently reports to the CIO/CTO
Qualifications & position requirements
– Often a CISSP
– Graduate degree
– Experience as a security manager
Business managers first—technologists
second; must also be conversant in all areas
of security, including technical, planning,
and policy
22. ITM 578 22
ILLINOIS INSTITUTE OF TECHNOLOGY
CISO Functions
Manage the overall InfoSec program
Draft or approves information security policies
Work with the CIO on strategic plans, develops
tactical plans, and work with security
managers on operational plans
Develop InfoSec budgets based on funding
Set priorities for InfoSec projects & technology
Make decisions in recruiting, hiring, and firing
of security staff
Act as spokesperson for the security team
23. ITM 578 23
ILLINOIS INSTITUTE OF TECHNOLOGY
Security Manager
Accountable for the day-to-day operation of the
information security program
Accomplishes objectives as identified by the CISO
Qualifications and position requirements:
– Not uncommon to have a CISSP
– Traditionally, managers have earned the CISSP while
technical professionals earned the Global Information
Assurance Certification
– Must have the ability to draft middle- and lower-level
policies as well as standards and guidelines
– They must have experience in budgeting, project
management, and hiring and firing
– They must also be able to manage technicians, both in the
assignment of tasks and the monitoring of activities
24. ITM 578 24
ILLINOIS INSTITUTE OF TECHNOLOGY
Security Technician
Technically qualified individuals tasked to
configure security hardware and software
Tend to be specialized, focusing on one major
security technology and further specializing
in one software or hardware solution
Qualifications and position requirements:
– Organizations prefer expert, certified, proficient
technicians
– Job descriptions cover some level of experience
with a particular hardware and software package
– Sometimes familiarity with a technology secures
an applicant an interview; however, experience
in using the technology is usually required
25. ITM 578 25
ILLINOIS INSTITUTE OF TECHNOLOGY
Internal Security Consultant
Typically an expert in some aspect of
information security
Usually preferable to involve a formal
security services company, it is not unusual
to find a qualified individual consultant
Must be highly proficient in the managerial
aspects of security
Information security consultants usually
enter the field after working as experts in
the discipline and often have experience as a
security manager or CISO
26. ITM 578 26
ILLINOIS INSTITUTE OF TECHNOLOGY
Credentials of Infosec Professionals
Many organizations seek recognizable
certifications to indicate proficiency
level associated with various security
positions
Most certifications are relatively new
and not fully understood by hiring
organizations
27. ITM 578 27
ILLINOIS INSTITUTE OF TECHNOLOGY
Credentials of Infosec Professionals
Certifying bodies work hard to educate the
general public on value and qualifications
of their certificate recipients
Employers trying to understand the match
between certifications and the position
requirements & candidates trying to gain
meaningful employment based on newly
received certifications
28. ITM 578 28
ILLINOIS INSTITUTE OF TECHNOLOGY
Credentials of Infosec Professionals
Certifications:
– Certified Information Systems Security
Professional (CISSP) & Systems Security
Certified Practitioner (SSCP) [(ISC)2
]
– Global Information Assurance Certification
(GIAC) [SANS Institute]
– Security Certified Professional (SCP) [SCP]
– TruSecure ICSA Certified Security Associate
(TICSA) & TruSecure ICSE Certified
Security Expert (TICSE) [TruSecure]
29. ITM 578 29
ILLINOIS INSTITUTE OF TECHNOLOGY
Credentials of Infosec Professionals
Certifications:
– Security+ [CompTIA]
– Certified Information Systems Auditor
(CISA) & Certified Information Security
Manager (CISM) [ISACA]
– Certified Information Forensics
Investigator (CIFI) [ISFA]
– Computer and Network Security
Technologies Graduate Certificate [IIT]
30. ITM 578 30
ILLINOIS INSTITUTE OF TECHNOLOGY
Cost of Being Certified
Certifications cost money, and the
better certifications can be quite
expensive - cost for training can also
be significant
Even an experienced professional finds
it difficult to sit for one of these exams
without some preparation
31. ITM 578 31
ILLINOIS INSTITUTE OF TECHNOLOGY
Cost of Being Certified
Many candidates teach themselves
through trade press books others
prefer the structure of formal training
Before attempting a certification exam,
do your homework and review the
exam criteria, its purpose and
requirements in order to ensure that
the time and energy spent pursuing
the certification are well spent
32. ITM 578 32
ILLINOIS INSTITUTE OF TECHNOLOGY
Preparing for Security Certification
FIGURE 11-3 Preparing for Security Certification
Self-Study Guides
Certification
Mentors & Study Partners
Work Experience Training Media Formal Training Programs
33. ITM 578 33
ILLINOIS INSTITUTE OF TECHNOLOGY
Advice for Information Security Professionals
If you are a future information security
professional, you can benefit from these
suggestions on entering the information
security job market:
– Always remember: business first, technology last
– It’s all about the information
– Be heard and not seen
– Know more than you say, be more skillful than
you let on
– Speak to users, not at them
– Your education is never complete
34. ITM 578 34
ILLINOIS INSTITUTE OF TECHNOLOGY
Employment Policies and Practices
General management should integrate
solid information security concepts into
the organization’s employment policies
and practices
If the organization can include security
as a documented part of every
employee’s job description, perhaps
information security will be taken more
seriously
35. ITM 578 35
ILLINOIS INSTITUTE OF TECHNOLOGY
Hiring and Termination Issues
From an information security
perspective, the hiring of employees is
a responsibility laden with potential
security pitfalls
The CISO and information security
manager should establish a dialogue
with the Human Resources department
to provide an information security
viewpoint for hiring personnel
37. ITM 578 37
ILLINOIS INSTITUTE OF TECHNOLOGY
Job Descriptions
Inserting information security
perspectives into the hiring process
begins with reviewing and updating all
job descriptions
To prevent people from applying for
positions based solely on access to
sensitive information, the organization
should avoid revealing access privileges
to prospective employees when
advertising positions
38. ITM 578 38
ILLINOIS INSTITUTE OF TECHNOLOGY
Interviews
An opening within Information Security
opens up a unique opportunity for the
security manager to educate HR on the
certifications, experience, and qualifications
of a good candidate
Information security should advise HR to
limit information provided to the candidate
on the responsibilities and access rights the
new hire would have
For those organizations that include on-site
visits as part of interviews, it is important to
use caution when showing a candidate
around the facility
39. ITM 578 39
ILLINOIS INSTITUTE OF TECHNOLOGY
Background Checks
A background check is an investigation into a
candidate’s past
There are regulations that govern such investigations
Background checks differ in the level of detail and
depth with which the candidate is examined:
– Identity checks
– Education and credential checks
– Previous employment verification
– References checks
– Worker’s Compensation history
– Motor vehicle records
– Drug history
– Credit history
– Civil court history
– Criminal court history
40. ITM 578 40
ILLINOIS INSTITUTE OF TECHNOLOGY
Fair Credit Reporting Act
Federal regulations exist in the use of
personal information in employment
practices, including the Fair Credit
Reporting Act (FCRA)
Background reports contain information on a
job candidate’s credit history, employment
history, and other personal data
FCRA prohibits employers from obtaining
these reports unless the candidate is
informed
41. ITM 578 41
ILLINOIS INSTITUTE OF TECHNOLOGY
Employment Contracts
Once a candidate has accepted the job
offer, the employment contract becomes
an important security instrument
Many security policies require an
employee to agree in writing
– If an existing employee refuses to sign
these contracts, the security personnel are
placed in a difficult situation
42. ITM 578 42
ILLINOIS INSTITUTE OF TECHNOLOGY
Employment Contracts
New employees, however may find
policies classified as “employment
contingent upon agreement,”
whereby the employee is not offered
the position unless he/she agrees to
the binding organizational policies
43. ITM 578 43
ILLINOIS INSTITUTE OF TECHNOLOGY
New Hire Orientation
As new employees are introduced into the
organization’s culture and workflow, they
should receive an extensive information
security briefing on all major policies,
procedures, and requirements for
information security
The levels of authorized access are outlined,
and training provided on the secure use of
information systems
By the time employees are ready to report to
their positions, they should be thoroughly
briefed, and ready to perform their duties
securely
44. ITM 578 44
ILLINOIS INSTITUTE OF TECHNOLOGY
On-the-Job Security Training
As part of the new hire’s ongoing job
orientation, and as part of every employee’s
security responsibilities, the organization
should conduct periodic security awareness
training
Keeping security at the forefront of
employees’ minds and minimizing employee
mistakes is an important part of the
information security awareness mission
Formal external and informal internal
seminars also increase the level of security
awareness for all employees, especially
security employees
45. ITM 578 45
ILLINOIS INSTITUTE OF TECHNOLOGY
Performance Evaluation
To heighten information security awareness
and change workplace behavior,
organizations should incorporate information
security components into employee
performance evaluations
Employees pay close attention to job
performance evaluations, and if the
evaluations include information security
tasks, employees are more motivated to
perform these tasks at a satisfactory level
46. ITM 578 46
ILLINOIS INSTITUTE OF TECHNOLOGY
Termination
When an employee leaves an
organization, there are a number of
security-related issues
Key is protection of all information to
which employee had access
47. ITM 578 47
ILLINOIS INSTITUTE OF TECHNOLOGY
Termination Tasks
When an employee leaves, several tasks must
be performed:
– Revoke access to the organization’s systems
– Return removable media
– Secure hard drives
– Change file cabinet locks
– Change office door lock
– Revoke keycard access
– Remove all personal effects from the organization’s
premises
Once cleared—if circumstances dictate—
former employees should be escorted from the
premises
48. ITM 578 48
ILLINOIS INSTITUTE OF TECHNOLOGY
Exit Interview
In addition, many organizations use an exit
interview
Obtain feedback on the employee’s tenure in
the organization
Remind the departing employee of
contractual obligations, such as
nondisclosure agreements
Also remind departing employee that if they
fail to comply with contractual obligations,
civil or criminal action may result
49. ITM 578 49
ILLINOIS INSTITUTE OF TECHNOLOGY
Exit Scenarios
From a security standpoint, security cannot
risk the exposure of organizational
information
Simplest and best method to handle the
outprocessing of an employee is to select one
of the scenarios that follows, based on the
employee’s reasons for leaving
– Hostile departure (nonvoluntary) procedure:
termination, downsizing, lay off, or quitting
– Friendly departure (voluntary):
retirement, promotion, or relocation
50. ITM 578 50
ILLINOIS INSTITUTE OF TECHNOLOGY
Hostile Departure Procedure
Termination, downsizing, lay off, or quitting
– Terminate all logical and keycard access before
employee is aware
– As soon as employee reports for work, employee is
escorted into supervisor’s office
– Upon receiving notice, employee is politely
escorted to working space and allowed to collect
personal belongings
– Employee asked to surrender all keys, keycards,
and other company property
– Former employee then politely escorted out of the
building
51. ITM 578 51
ILLINOIS INSTITUTE OF TECHNOLOGY
Friendly Departure Procedure
Retirement, promotion, or relocation
– Employee may have tendered notice well in
advance of the actual departure date
– Actually makes it harder for security to maintain
positive control over the employee’s access and
information usage
– Employee access is usually allowed to continue
with a new expiration date
– Employees come and go at will and collect their
own belongings, and leave on their own
– Asked to drop off all organizational property
“on their way out the door”
52. ITM 578 52
ILLINOIS INSTITUTE OF TECHNOLOGY
Termination
In all circumstances, offices and information
used by the employee must be inventoried,
their files stored or destroyed, and all
property returned to organizational stores
It is possible that the employees foresee
departure well in advance, and begin
collecting organizational information or
anything that could be valuable in their
future employment
53. ITM 578 53
ILLINOIS INSTITUTE OF TECHNOLOGY
Termination (continued)
Only by scrutinizing systems logs after the
employee has departed, and sorting out
authorized actions from systems misuse or
information theft can the organization
determine if there has been a breach of
policy or a loss of information
In the event that information is illegally
copied or stolen, the action should be
declared an incident and the appropriate
policy followed
54. ITM 578 54
ILLINOIS INSTITUTE OF TECHNOLOGY
Security Considerations For Nonemployees
A number of individuals who are not subject
to rigorous screening, contractual
obligations, and eventual secured
termination often have access to sensitive
organizational information
Relationships with individuals in this
category should be carefully managed to
prevent a possible information leak or theft
55. ITM 578 55
ILLINOIS INSTITUTE OF TECHNOLOGY
Temporary Employees
Temporary employees: hired by the organization to
serve in a temporary position or to supplement
existing workforce
As they are not employed by the host organization,
they are often not subject to the contractual
obligations or general policies; if these individuals
breach a policy or cause a problem actions are
limited
From a security standpoint, access to information for
these individuals should be limited to that necessary
to perform their duties
Ensure that the temp’s supervisor restricts the
information to which they have access
56. ITM 578 56
ILLINOIS INSTITUTE OF TECHNOLOGY
Maintenance Personnel
Internal maintenance and custodial
personnel who may have access to IT assets
need to have necessary clearances even if
handling these assets is not part of their
regular job
Contract and warranty service personnel
need to be supervised when working on any
equipment with access to sensitive or
classified data
Contract custodial personnel must be bonded
57. ITM 578 57
ILLINOIS INSTITUTE OF TECHNOLOGY
Contract Employees
Contract employees are typically hired to
perform specific services for the organization
The host company often makes a contract
with a parent organization rather than with
an individual for a particular task
In a secure facility, all contract employees are
escorted from room to room, as well as into
and out of the facility
There is also the need for certain restrictions
or requirements to be negotiated into the
contract agreements when they are activated
58. ITM 578 58
ILLINOIS INSTITUTE OF TECHNOLOGY
Consultants
Consultants should be handled like contract
employees, with special requirements for
information or facility access requirements
integrated into the contract before these
individual are allowed outside the conference
room
Security and technology consultants
especially must be prescreened, escorted, and
subjected to nondisclosure agreements to
protect the organization
Just because you pay a security consultant,
doesn’t make the protection of your
information his or her number one priority
59. ITM 578 59
ILLINOIS INSTITUTE OF TECHNOLOGY
Business Partners
Businesses find themselves in strategic alliances
with other organizations, desiring to exchange
information, integrate systems, or simply to discuss
operations for mutual advantage
There must be a meticulous, deliberate process of
determining what information is to be exchanged, in
what format, and to whom
Nondisclosure agreements and the level of security
of both systems must be examined before any
physical integration takes place, as system
connection means that the vulnerability of one
system is the vulnerability of all
60. ITM 578 60
ILLINOIS INSTITUTE OF TECHNOLOGY
Separation of Duties & Collusion
The completion of a significant task that
involves sensitive information should
require two people using the check and
balance method to avoid collusion
– If one person has the authorization to access a
particular set of information, there may be
nothing to prevent this individual from copying it
and removing it from the premises
Check and balance method requires two or
more people to conspire to commit an
incident, known as collusion.
61. ITM 578 61
ILLINOIS INSTITUTE OF TECHNOLOGY
Separation of Duties & Collusion
A similar concept is that of two-man control,
when two individuals review and approve
each other’s work before the task is
categorized as finished
In two-man control, each person completely
finishes necessary work, and then submits it
to the co-worker.
Each co-worker examines the work
performed, double checking the actions
performed, ensuring no errors or
inconsistencies exist
62. ITM 578 62
ILLINOIS INSTITUTE OF TECHNOLOGY
Separation of Duties & Collusion
Another control used is job rotation where
employees know each others job skills
A mandatory vacation, of at least one
week, provides the ability to audit the
work
Need-to-know and least privilege ensures
that no unnecessary access to data occurs,
and that only those individuals who must
access the data do so
63. ITM 578 63
ILLINOIS INSTITUTE OF TECHNOLOGY
Preventing Collusion
FIGURE 11-6 Preventing Collusion
Separation of Duties
Work is divided up.
Each team member
performs only his or her
portion of the task sequence.
Two-man control
Team members review
each other’s work
64. ITM 578 64
ILLINOIS INSTITUTE OF TECHNOLOGY
Privacy and the Security of Personnel Data
Organizations are required by law to protect
employee information that is sensitive or
personal
This includes employee addresses, phone
numbers, social security numbers, medical
conditions, and even names and addresses of
family and relatives
This responsibility also extends to
customers, patients, and business
relationships
Learning Objectives:
Upon completion of this chapter you should be able to:
Understand where and how the information security function is positioned within organizations
Understand the issues and concerns about staffing the information security function
Know about the credentials professionals in the information security field can acquire
Recognize how an organization’s employment policies and practices can support the information security effort
Understand the special security precautions necessary for nonemployees
Recognize the need for the separation of duties
Understand the special requirements needed for the privacy of personnel data
When implementing information security, there are many human resource issues that must be addressed.
First, the entire organization must decide how to position and name the security function.
Second, the communities of interest must plan for the proper staffing for the information security function.
Third, the IT community of interest must understand the impact of information security across every role in the IT function and adjust job descriptions and documented practices accordingly.
Finally, the general management community of interest must work with the information security professionals to integrate solid information security concepts into the personnel management practices of the organization.
Understanding the impact of change to personnel management practices of the organization is important in the success of the implementation phase.
Experience has shown that employees often feel threatened when an organization is creating or enhancing an overall information security program.
Quelling the doubts and reassuring the employees is a fundamental part of the implementation process. It is important to supply adequate resources to gather and respond quickly to employee feedback.
Security Function Within An Organization’s Structure
In Charles Cresson Wood’s book, Information Security Roles and Responsibilities Made Easy the author indicates that the security function can be placed within the:
IT function, as a peer of other functions (networks, applications development, and help desk)
Physical security function, as a peer of physical security or protective services
Administrative services function, as a peer of human resources or purchasing
Insurance and risk management function
Legal department
The challenge is to design a reporting structure for the information security function that balances the competing needs of each of the communities of interest.
Organizations find compromise by placing the information security function where it can best balance the needs of enforcement of organizational policy with the education, training, awareness, and customer service needed to make information security part of the organizational culture.
Staffing The Security Function
Selecting information security personnel is based on a number of criteria, including the principles of supply and demand.
Many potential professionals seek to enter the security market by gaining the skills, experience, and credentials to qualify as a new supply.
Until the new supply reaches the demand level, organizations must pay the higher costs associated with the current limited supply.
Once the supply reaches a level at or above demand, the organizations hiring these skills become selective, and the cost they are willing to pay drops.
At the present time the information security industry is in a period of high demand, with few qualified individuals available for organizations seeking their services.
Qualifications and Requirements
There are a number of factors that influence an organization’s hiring decisions. In many organizations, information security teams lack established roles and responsibilities.
For the information security discipline to move forward, these factors must be addressed:
Management should learn more about position requirements and qualifications for both information security positions and IT positions that impact infosec.
Upper management should also learn more about the budgetary needs of the infosec function.
IT and management need to learn more about the level of influence and prestige the information security function should be given in order to be effective.
In most cases, organizations look for a technically qualified information security generalist, with a solid understanding of how an organization operates.
In many other career fields, the more specialized professionals become, the more marketable they are. But, in the information security discipline, over-specialization is often a risk.
It is important to balance technical skills with general information security knowledge.
Hiring Criteria
When hiring InfoSec professionals, organizations frequently look for individuals who understand:
How an organization operates at all levels
Information security is usually a management problem and is seldom an exclusively technical problem
People and have strong communications and writing skills
The roles of policy and education and training
The threats and attacks facing an organization
How to protect the organization from attacks
How business solutions can be applied to solve specific information security problems
Many of the most common mainstream IT technologies as generalists
The terminology of IT and information security
Entry into the Security Profession
Many information security professionals enter the field through one of two career paths:
First, ex-law enforcement and military personnel move from their respective environments into the more business-oriented world of information security, and
Second, technical professionals find themselves working on security applications and processes more often than on traditional IS tasks.
Today, college graduates and upper division students are selecting and tailoring degree programs to prepare for work in the field of security.
The current perception in InfoSec is that a security professional must first be a proven professional in another field of IT.
IT professionals, however, who move into information security tend to focus on the technology to the exclusion of general information security issues.
Organizations can foster greater professionalism in the information security discipline through clearly defined expectations and position descriptions.
Information Security Positions
The use of standard job descriptions can increase the degree of professionalism in the information security field as well as improve the consistency of roles and responsibilities between organizations.
Organizations that are revising the roles and responsibilities of InfoSec staff can consult references like Wood’s book Information Security Roles and Responsibilities Made Easy, or Schwartz, et al’s report “InfoSec Staffing Help Wanted”.
InfoSec Staffing Help Wanted
“Definers provide the policies, guidelines and standards…They're the people who do the consulting and the risk assessment, who develop the product and technical architectures. These are senior people with a lot of broad knowledge, but often not a lot of depth.
Then you have the builders. They're the real techies, who create and install security solutions.
You have the operators who run and administrate the security tools, the security monitoring function, and the people who continuously improve the processes. This is where all the day-to-day, hard work is done. What I find is we often try to use the same people for all of these roles.”
Chief Information Security Officer
This position is typically considered the top information security officer in the organization.
The CISO is usually not an executive level position and frequently reports to the Chief Information Officer.
Though CISOs are business managers first and technologists second, they must also be conversant in all areas of security, including technical, planning, and policy.
Chief Information Security Officer
The CISO performs the following functions:
Manages the overall InfoSec program
Drafts or approves information security policies
Works with the CIO on strategic plans, develops tactical plans, and works with security managers on operational plans
Develops InfoSec budgets based on funding
Sets priorities for the purchase and implementation of InfoSec projects & technology
Makes decisions or recommendations on the recruiting, hiring, and firing of security staff
Acts as the spokesperson for the security team
Qualifications and Position Requirements.
The most common qualification expected for this type of position is the Certified Information Systems Security Professional.
A graduate degree in one of the following areas is also probably required: criminal justice, business, technology, or other related fields.
To qualify for this level position, the candidate demonstrates experience as a security manager and presents experience with planning, policy, and budgets.
Security Manager
Security managers are accountable for the day-to-day operation of the information security program.
They accomplish objectives as identified by the CISO and resolve issues identified by technicians.
Within the information security community, there may be team leaders or project managers who are responsible for certain management-like functions, such as scheduling, setting relative priorities, or administering any number of procedural tasks, but are not necessarily held accountable for making a particular technology function.
Qualifications and Position Requirements.
It is not uncommon for a candidate for this position to have a CISSP. Traditionally, managers earned the CISSP while technical professionals earned the Global Information Assurance Certification.
Security managers must have the ability to draft middle and lower level policies as well as standards and guidelines.
They must have experience in traditional business matters: budgeting, project management, and hiring and firing.
They must also be able to manage technicians, both in the assignment of tasks and the monitoring of activities.
Security Technician
Security technicians are the technically qualified individuals tasked to configure security hardware and software and coordinate with administrators to ensure security is properly implemented.
A security technician is the ideal entry-level position; however, some technical skills are usually required.
Just as in networking, security technicians tend to be specialized, focusing on one major security technology group, and further specializing in one software or hardware package within the group.
If a security technician wants to move up, they must gain an understanding of the general, organizational issues of InfoSec as well.
Qualifications and Position Requirements.
The technical qualifications and position requirements for a security technician are varied.
Organizations prefer the expert, certified, proficient technician.
Regardless of the area, the particular job description covers some level of experience with a particular hardware and software package.
Sometimes familiarity with a technology secures an applicant an interview; however, experience in using the technology is usually required.
Internal Security Consultant
The information security consultant is typically an expert in some aspect of information security, usually brought in when the organization makes the decision to outsource aspects of its security program.
While it is usually preferable to involve a formal security services company, it is not unusual to find a qualified individual consultant.
The security consultant must be highly proficient in the managerial aspects of security and have access to staff that can perform the technical implementations.
It is widely known that most consultancies are idea generators and not implementers.
Information security consultants usually enter the field after working as experts in the discipline.
A good security consultant often has experience as a security manager or CISO.
Some consultants are recruited by service companies, and as a result the job description is based on the needs and services of that particular company.
Credentials Of Information Security Professionals
Many organizations seek recognizable certifications to indicate the level of proficiency associated with the various security positions.
Most existing certifications are relatively new and not fully understood by hiring organizations.
The certifying bodies work hard to educate the general public on the value and qualifications of their certificate recipients.
Employers are trying to understand the match between certifications and the position requirements, and the candidates are trying to gain meaningful employment based on their newly received certifications.
Credentials Of Information Security Professionals
CISSP and SSCP
Considered the most prestigious certification for security managers and CISOs, the CISSP is one of two certifications offered by the International Information Systems Security Certification Consortium. The SSCP is the other.
In order to sit for the CISSP exam, the candidate must possess at least three years of direct full-time security professional work in one or more of ten domains of information security knowledge:
Access control systems and methodology, Applications and systems development, Business continuity planning, Cryptography, Law, investigation, and ethics, Operations security, Physical security, Security architecture and models, Security management practices, and Telecommunications, network and internet security
Once a candidate receives the CISSP, he or she must earn a specific number of continuing education credits every three years to retain the certification.
Like the CISSP, the SSCP certification is more applicable to the security manager than the technician, because most questions focus on the operational nature of InfoSec.
The SSCP focuses “on practices, roles and responsibilities as defined by experts from major IS industries.”
The SSCP covers seven domains: Access controls, Administration, Audit and monitoring, Risk, response, and recovery, Cryptography, Data communications, Malicious code and malware.
Global Information Assurance Certification
SANS developed a series of technical security certifications in 1999, known as the GIAC. At the time, there were no technical certifications.
The GIAC family of certifications can be pursued independently or combined to earn the comprehensive certification, GIAC Security Engineer (GSE).
Like the SSCP, the GIAC Information Security Officer (GISO) is an overview certification that combines basic technical knowledge with understanding of threats, risks, and best practices.
Unlike other certifications, GIAC certifications require the applicant to first complete a written practical assignment before being allowed to take the exam. GIAC Certifications include:
GIAC Security Essentials Certification (GSEC)
GIAC Certified Firewall Analyst (GCFW)
GIAC Certified Intrusion Analyst (GCIA)
GIAC Certified Incident Handler (GCIH)
GIAC Certified Windows Security Administrator (GCWN)
GIAC Certified UNIX Security Administrator (GCUX)
GIAC Information Security Officer - Basic (GISO - Basic)
GIAC Systems and Network Auditor (GSNA)
GIAC Certified Forensic Analyst (GCFA)
GIAC Security Leadership Certificate (GSLC)
To obtain the GIAC Certified Engineer, which is considered the pinnacle of GIAC certifications, candidates must earn all of the above certifications and receive honors recognition in at least one, before they are even allowed to sit for the final certification.
GIAC is designed not only to test knowledge of a field, but also to require application of that knowledge through the practicum.
While there are a growing number of entry-level certifications, GIAC currently offers the only advanced technical certifications.
Security Certified Professional
One of the newest certifications in information security, the SCP certification provides two tracks: the Security Certified Network Professional and the Security Certified Network Architect.
The SCNP track focuses on firewalls and intrusion detection, and requires two exams.
Network Security Fundamentals (NSF)
Network Defense and Countermeasures (NDC)
The SCNA program focuses more on authentication, including biometrics and PKI:
PKI and Biometrics Concepts and Planning (PBC)
PKI and Biometrics Implementation (PBI)
T.I.C.S.A. and T.I.C.S.E.
The TruSecure ICSA certifications are among the first vendor-sponsored certifications, that focuses on providing certifications that are skills- and knowledge-based, technology specific, and pragmatic.
A candidate must demonstrate appropriate experience and training before being allowed to sit for the examinations.
The T.I.C.S.A. certification is highly technical and is targeted towards network and systems administrators.
The examination is also based on the following TruSecure six categories of risk:
Electronic: External and internal, Hacking and sniffing, Spoofing.
Malicious code: Viruses and worms, Java and ActiveX, Trojans.
Physical: Theft and terminal hijack.
Human: Social engineering.
Privacy
Downtime: DoS attacks, Bugs, Power, Civil unrest, Natural disasters
Firewall implementation
Security policy formulation and implementation
Risk analysis
Attack method identification and solutions
Bastion hosts and system hardening techniques
Proxy server filtering properties
Packet filter definition and filtering criteria
Basic packet filter rule set design
VPN deployment
OS security expertise
Applied cryptography (PGP, S/MIME, VPNs)
Key management issues and solutions
Incident response planning
Biometrics
Network and computer forensics
Security+
CompTIA (www.comptia.com)
The Security + certification is similar to the Network + certification and to many others in its focus on key skills necessary to perform security, without being tied to a particular software or hardware vendor package.
Certified Information Systems Auditor
The CISA certification contains many information security components.
The Information Systems Audit and Control Association promotes the certification for auditing, networking, and security professionals.
Many of the CISA certifications have requirements common to other security certifications including:
Successful completion of the CISA examination
Experience as an information systems auditor
Agreement to the Code of Professional Ethics and the Information Systems Auditing Standards
Continuing education
The exam covers the following areas of information systems auditing:
The IS audit process (10 percent)
Management, planning, and organization of IS (11 percent)
Technical infrastructure and operational practices (13 percent)
Protection of information assets (25 percent)
Disaster recovery and business continuity (10 percent)
Business application system development, acquisition, implementation, and maintenance (16 percent)
Business process evaluation and risk management (15 percent)
The exam is only offered once a year, so advanced planning is a must.
Certified Information Systems Forensics Investigator
The Information Security Forensics Association is developing an examination for a certified information systems forensics investigator, which evaluates tasks and responsibilities dealing with incident response, working with law enforcement, and auditing incidences.
Although the certification exam has not been fully developed, the common body of knowledge has been tentatively defined to include:
Countermeasures
Auditing
Incident response teams
Law enforcement and investigation
Traceback
Cost of Being Certified
Certifications cost money, and the better certifications can be quite expensive. The cost for formal training to prepare for the certification can also be significant.
While you should not attempt to earn a certification without professional experience, these courses can help candidates round out their knowledge and fill in gaps.
Even an experienced professional would find it difficult to sit for one of these exams without some preparation.
Many candidates teach themselves through trade press books.
Others prefer the structure of formal training, because it includes practicing the technical components on equipment the candidate may not be able to access.
Before attempting a certification exam, do your homework.
Look at the exam criteria, its purpose and requirements in order to ensure that the time and energy spent pursuing the certification are well spent.
Advice for Information Security Professionals
As a future information security professional, you can benefit from these suggestions on entering information security job market.
Always remember: business first, technology last.
It’s all about the information
Be heard and not seen.
Know more than you say, be more skillful than you let on.
Speak to users, not at them.
Your education is never complete.
EMPLOYMENT POLICIES AND PRACTICES
The general management community of interest should integrate solid information security concepts into the organization’s employment policies and practices.
If the organization can include security as a documented part of every employee’s job description, then perhaps information security will be taken more seriously.
Hiring and Termination Issues
From an information security perspective, the hiring of employees is a responsibility laden with potential security pitfalls.
The CISO and information security manager should establish a dialogue with the Human Resources department to provide an information security viewpoint for hiring personnel.
Job Descriptions
Inserting information security perspectives into the hiring process begins with reviewing and updating all job descriptions.
To prevent people from applying for positions based solely on access to sensitive information, the organization should avoid revealing access privileges to prospective employees when advertising positions.
Interviews
The next point of contact with a potential employee is the job interview.
An opening within Information Security opens up a unique opportunity for the security manager to educate HR on the certifications, experience, and qualifications of a good candidate.
For other areas, information security should advise HR to limit information provided to the candidate on the responsibilities and access rights the new hire would have.
For those organizations that include on-site visits as part of interviews, it is important to use caution when showing a candidate around the facility.
Background Checks
A background check is an investigation into the candidate’s past, specifically looking for criminal behavior that could indicate potential for future misconduct.
There are a number of regulations that govern what the organization can investigate, and how much of the information can influence the hiring decision, requiring the security and HR managers to discuss these matters with counsel.
Background checks differ in the level of detail and depth with which the candidate is examined:
Identity checks
Education and credential checks
Previous employment verification
References checks
Worker’s Compensation history
Motor vehicle records
Drug history
Credit history
Civil court history
Criminal court history
Fair Credit Reporting Act
There are federal regulations regarding the use of personal information in employment practices, include the Fair Credit Reporting Act (FCRA), which governs consumer credit reporting agencies, and uses of the information from these agencies.
These reports contain information on a job candidate’s credit history, employment history, and other personal data.
Among other things, the FCRA prohibits employers from obtaining these reports unless the candidate is informed in writing that such a report will be requested as part of the employment process.
The FCRA also restricts the periods of time these reports can address.
Employment Contracts
Once a candidate has accepted the job offer, the employment contract becomes an important security instrument.
Many policies require an employee to agree in writing. If an existing employee refuses to sign these contracts, the security personnel are placed in a difficult situation.
New employees, however may find policies classified as “employment contingent upon agreement,” whereby the employee is not offered the position unless he agrees to the binding organizational policies.
New Hire Orientation
As new employees are introduced into the organization’s culture and workflow, they should receive an extensive information security briefing on all major policies, procedures and requirements for information security within the new position.
The levels of authorized access are outlined, and training provided on the secure use of information systems.
By the time employees are ready to report to their positions, they should be thoroughly briefed, and ready to perform their duties securely.
On-the-Job Security Training
As part of the new hire’s ongoing job orientation, and as part of every employee’s security responsibilities, the organization should conduct periodic security awareness and training.
Keeping security at the forefront of employees’ minds and minimizing employee mistakes is an important part of the information security mission.
Formal external and informal internal seminars also increase the level of security awareness for all employees, especially security employees.
Performance Evaluation
To heighten information security awareness and change workplace behavior, organizations should incorporate information security components into employee performance evaluations.
Employees pay close attention to job performance evaluations, and if the evaluations include information security tasks, employees are more motivated to perform these tasks at a satisfactory level.
Termination
When an employee leaves an organization, there are a number of security-related issues. Key among these is the continuity of protection of all information to which the employee had access.
When an employee prepares to leave, the following tasks must be performed:
Access to the organization’s systems disabled
Removable media returned
Hard drives secured
File cabinet locks changed
Office door lock changed
Keycard access revoked
Personal effects removed from the organization’s premises
Once the employee has delivered keys, keycards, and other business property, he or she should be escorted from the premises.
Hostile Departure
Hostile departure (non-voluntary) for termination, downsizing, lay off, or quitting:
Before the employee knows he is leaving, security terminates all logical and keycard access.
As soon as the employee reports for work, he is escorted into his supervisor’s office for the news.
Upon receiving notice, he is escorted to his area, and allowed to collect personal effects.
No organizational property is taken from the premises.
Employee asked to surrender all keys, keycards, and other company property.
They are then escorted out of the building.
Friendly Departure
Friendly departure (voluntary) for retirement, promotion, or relocation:
In this case, the employee may have tendered notice well in advance of the actual departure date. This actually makes it more difficult for security to maintain positive control over the employee’s access and information usage.
Employee accounts are usually allowed to continue with a new expiration date.
Employees come and go at will and collect their own belongings, and leave on their own.
They are asked to drop off all organizational property “on their way out the door.”
Termination
In either circumstance, the offices and information used by the employee must be inventoried, their files stored or destroyed, and all property returned to organizational stores.
It is possible in either situation that the employees foresee departure well in advance, and begin collecting organizational information or anything that could be valuable in their future employment.
Only by scrutinizing systems logs after the employee has departed, and sorting out authorized actions from systems misuse or information theft can the organization determine if there has been a breach of policy or a loss of information.
In the event that information is illegally copied or stolen, the action should be declared an incident and the appropriate policy followed.
Security Considerations For Nonemployees
A number of individuals who are not subject to rigorous screening, contractual obligations, and eventual secured termination often have access to sensitive organizational information.
Relationships with individuals in this category should be carefully managed to prevent a possible information leak or theft.
Temporary Employees
Temporary employees are hired by the organization to serve in a temporary position or to supplement the existing workforce.
These employees may be the paid employees of a “temp agency” or similar organization.
As they are not employed by the host organization, they are often not subject to the contractual obligations or general policies of other employees.
If these individuals breach a policy or cause a problem, the strongest action the host organization can take is to terminate the relationships with the individuals and request that they be censured.
From a security standpoint, access to information for these individuals should be limited to that necessary to perform their duties.
The organization can attempt to have temporary employees sign non-disclosure agreements and fair use policies, but they may refuse, forcing the organization to either dismiss the temp worker or allow him to work without the agreement.
Ensure that the temp’s supervisor restricts the information to which he has access and makes sure all employees follow good security practices, especially clean desk policies and the security of classified data.
Contract Employees
Contract employees are typically hired to perform specific services for the organization.
The host company often makes a contract with a parent organization rather than with an individual for a particular task.
Although some individuals may require access to virtually all areas of the organization to do their jobs, they seldom need access to information or information resources.
Contract employees may need access to various facilities; however, this does not mean they should be allowed to wander freely in and out of buildings.
In a secure facility, all contract employees are escorted from room to room, as well as into and out of the facility.
There is also the need for certain restrictions or requirements to be negotiated into the contract agreements when they are activated.
Consultants
Consultants should be handled like contract employees, with special requirements for information or facility access requirements integrated into the contract before these individual are allowed outside the conference room.
Security and technology consultants especially must be prescreened, escorted, and subjected to non-disclosure agreements to protect the organization from possible intentional or accidental breaches of confidentiality.
Just because you pay a security consultant, doesn’t make the protection of your information his or her number one priority.
Business Partners
On occasion, businesses find themselves in strategic alliances with other organizations, desiring to exchange information, integrate systems, or simply to discuss operations for mutual advantage.
There must be a meticulous, deliberate process of determining what information is to be exchanged, in what format, and to whom.
Non-disclosure agreements abound, and the level of security of both systems must be examined before any physical integration takes place, as system connection means that the vulnerability of one system is the vulnerability of all.
Separation Of Duties And Collusion
Separation of duties is a cornerstone in the protection of information assets and in preventing loss.
The completion of a significant task that involves sensitive information should require two people.
If one person has the authorization to access a particular set of information, there may be nothing to prevent this individual from copying it and removing it from the premises.
The check and balance method requires two or more people to conspire to commit an incident, which is known as collusion. The odds that two people are willing and able to misuse or abuse the system are much lower than one.
Related to the concept of separation of duties is that of two-man control, the requirement that two individuals review and approve each other’s work before the task is categorized as finished. This is distinct from separation of duties, in which the two work in sequence.
In two-man control, each person completely finishes the necessary work, and then submits it to the co-worker.
Each co-worker examines the work performed, double checking the actions performed, and making sure no errors or inconsistencies exist.
Another control used to prevent personnel from misusing information assets is job rotation or task rotation, the requirement that every employee be able to perform the work of another employee.
Ensuring that all critical tasks have multiple individuals capable of performing the tasks can greatly increase the chance that one employee could detect misuse of the system or abuse of the information of another.
A mandatory vacation, of at least one week, provides the ability to audit the work of an individual.
Individuals who are stealing or misusing information or systems are reluctant to take vacations, for fear that their actions are detected.
Employees should be provided access to the minimal amount of information for the minimal amount of time necessary for them to perform their duties.
Similar to the concept of need-to-know, least privilege ensures that no unnecessary access to data occurs, and that only those individuals who must access the data do so.
The whole purpose of information security is to allow those people with a need to use information to do so without concern for the loss of confidentiality, integrity, and availability.
Everyone who can access data probably will, resulting in numerous potential losses.
Privacy And The Security Of Personnel Data
Another personnel and security topic is the security of personnel and personal data.
Organizations are required by law to protect employee information that is sensitive or personal.
This includes employee addresses, phone numbers, social security numbers, medical conditions, and even names and addresses of family and relatives.
This responsibility also extends to customers, patients, and business relationships.