INFORMATION SECURITY MANAGEMENT LECTURE 10: PERSONNEL & SECURITY You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi Berra Introduction • Maintaining a secure environment requires that the InfoSec department be carefully structured and staffed with appropriately credentialed personnel • Proper procedures must be integrated into all human resources activities Qualifications and Requirements – Recognizing that InfoSec is a management task that cannot be handled with technology alone – Acknowledging the role of policy in guiding security efforts – Understanding of the essential role of information security education and training – Perceive the threats facing an organization – Understanding how to apply technical controls Information Security Positions • Types of Information security positions – Definers – Builders – Administrators • Common Positions • CISO • Security Mgr • Security Technician Information Security Professional Credentials • Many organizations rely on professional certifications • Employers struggle to match certifications to position requirements • Certifying bodies work to educate their constituent communities on the value and qualifications of their certificate recipients (ISC)2 Certifications - CISSP InfoSec common body of knowledge Access Control Application Security Business Continuity and Disaster Recovery Planning Cryptography Information Security and Risk Management Legal, Regulations, Compliance and Investigations Operations Security Physical (Environmental) Security Security Architecture and Design Telecommunications and Network Security (ISC)2 Certifications (cont’d.) • Systems Security Certified Practitioner – Focuses on practices, roles, and responsibilities covering seven domains: • Access controls • Analysis and monitoring • Cryptography • Malicious code • Networks and Telecommunications • Risk, Response and Recovery • Security Operations and Administration (ISC)2 Certifications (cont’d.) • ISSAP®: Information Systems Security Architecture Professional Access control systems and methodology Telecommunications and network security Cryptography Requirements analysis and security standards, guidelines, criteria Technology-related business continuity planning and disaster recovery planning – Physical security integration – – – – – (ISC)2 Certifications (cont’d.) • ISSEP®: Information Systems Security Engineering Professional • ISSMP®: Information Systems Security Management Professional Global Information Assurance Certification • GIAC Certifications – – – – – – – – Information security fundamentals (GISF) Security essentials certification (GSEC) Certified firewall analyst (GCFW) Certified intrusion analyst (GCIA) Certified incident handler (GCIH) Certified Windows security administrator (GCWN) Certified UNIX security administrator (GCUX) Certified forensics analyst (GCFA) Global Information Assurance Certification (cont’d) • GIAC Certifications (cont’d.) – – – – – – Securing Oracle Certification (GSOC) Intrusion Prevention (GIPS) Cutting Edge Hacking Techniques (GHTQ) Web Application Security (GWAS) Reverse Engineering Malware (GREM) Assessing Wireless Networks (GAWN) Security+ • The CompTIA Security+ certification – Tests for security knowledge mastery – Must have two years of on-the-job networking experience with emphasis on security – Exam covers industry-wide topics including: • Systems security (21%) • Network infrastructure (20%) • Access control (17%) • Assessments & audits (15%) • Cryptography (15%) • Organizational Security (12%) Certification Costs • Preferred certifications can be expensive • Certifications recognize experts in their respective fields • Most examinations: – Require between two and three years experience – Structured to reward candidates who have significant hands-on experience Employment Policies and Practices • Management should integrate solid information security concepts – Across all of the organization’s employment policies and practices – Including information security responsibilities into every employee’s job description and subsequent performance reviews Security as Part of Performance Evaluation • Organizations should incorporate information security components into employee performance evaluations Termination Issues • When an employee leaves an organization, the following tasks must be performed: Termination Issues: Hostile Departure Security cuts off all logical and keycard access before the employee is terminated The employee reports for work, and is escorted into the supervisor’s office to receive the bad news The individual is then escorted from the workplace and informed that his or her personal property will be forwarded, or is escorted to his or her office, cubicle, or personal area to collect personal effects Termination Issues: Friendly Departure The employee may have tendered notice well in advance of the actual departure date Employee accounts are usually allowed to continue, with a new expiration date The employee can come and go at will • Usually collects any belongings and leaves without escort, dropping off all organizational property before departing Termination Issues • In either circumstance: – Offices and information used by departing employees must be inventoried, their files stored or destroyed, and all property returned to organizational stores – Departing employees may have collected and taken home information or assets that could be valuable in their future jobs – Scrutinizing system logs may allow an organization to determine whether a breach of policy or a loss of information has occurred Personnel Security Practices • Methods of monitoring and controlling employees – – – – Separation of duties Two-man control Job rotation Task rotation Security of Personnel and Personal Data • Organizations are required by law to protect sensitive or personal employee information – Responsibility extends to customers, patients, and anyone with whom the organization has business relationships • Personnel data is no different than other data that information security is expected to protect – But more regulations cover its protection Security Considerations for Nonemployees • Many individuals who are not employees often have access to sensitive organizational information Security Considerations for Nonemployees • Temporary workers • Not employed by the organization for which they’re working • May not be subject to the contractual obligations or policies that govern employees • Unless specified in its contract with the organization, the temporary agency may not be liable for losses caused by its workers • Access to information should be limited to what is necessary to perform their duties Security Considerations for Nonemployees • Contract employees • Know what they need access to • Not all contractors need universal access • Regulations for service agreements or contracts: – Require 24 to 48 hours’ notice – Require all on-site personnel to undergo background checks – Require advance notice for cancellation or rescheduling of a maintenance visit Security Considerations for Nonemployees (cont’d.) • Consultants – Have their own security requirements and contractual obligations – Protecting your information may not be their number one priority – Apply the principle of least privilege