Ch 11 - Security and Personnel Flashcards
Story or vignette
The story is about Iris Majwubu who gets an email from the senior manager of IT, Charlie Moody.
In the email, he asks her to come by as he would like to discuss the Magruder case and investigation. Guy who left the USB at the coffee station and was found to be selling sensitive company information
It turns out he wants to reward her with an opportunity to join the information security team, as her actions saved the company from having significant losses. She is hesitant, but she says that she’ll think about it.
Learning Objectives
- How should the info sec. function be positioned within an organization?
- What are the issues/concerns that must be addressed when staffing the IS function?
- What are some IS credentials one can earn in the field?
- How can employment policies and practices support the IS function?
- What special security precautions should be taken when using contract workers?
- What are the requisites (needed) to ensure the privacy of personnel data?
How are IS departments usually positioned?
Within the information technology department of organizations.
CISO or CSO as the head of the department reporting to the CIO
Not always have the same interest in mind
CIO - access
CSO/CISO - security
A balance between access and security is essential
Other possible places where the IS function can be positioned in an organization’s structure
- IT function
- Physical security function
- Administrative services function
- Insurance and risk mgmt. function
- Legal department
Wherever the IS function is positioned matters less than that it meets two criteria:
- That it is able to have a say in terms of the reporting function.
- That it is able to enforce organizational policy, meaning monitor compliance.
- And that it be able to provide education, training, awareness, and customer service.
Best hiring practices
- Gen. mgmt. should learn about the skills/requisites needed to carry out the IS job.
- Gen. mgmt. needs to understand and allocate a budget that allows the IS function to carry out its duties
- IT and Gen. mgmt. should grant the appropriate level of influence and prestige to the IS function.
Important skills for people in the IS function to understand:
- How an organization operates at all levels
- That information security is usually a management problem and is seldom an exclusively technical problem
- How to work with people and collaborate with end users, and the importance of strong communications and writing skills
- The role of policy in guiding security efforts, and the role of education and training in making employees and other authorized users part of the solution, rather than part of the problem
- Most mainstream IT technologies (not necessarily as experts, but as generalists)
- The terminology of IT and information security
- The threats facing an organization and how these threats can become attacks
- How to protect an organization’s assets from information security attacks
- How business solutions (including technology-based solutions) can be applied to solve specific information security problems
The broad 3 areas of IS job classifications:
- Those that define the IS program - provide the policies, guidelines, and standards. Do the consulting and risk assessment, and develop the product and technical architectures. Seniors in the field broad knowledge.
- Those that build the IS system and create the programs to implement IS controls. The techies.
- Those that administer the infosec control systems and programs that have been created. The sheep that can carry out specific tasks.
CISO duties and responsibilities
- Manages the overall information security program for the organization
- Drafts or approves information security policies
- Works with the CIO on strategic plans, develops tactical plans, and works with security managers on operational plans
- Develops information security budgets based on available funding
- Sets priorities for the purchase and implementation of information security projects and technology
- Makes decisions or recommendations on the recruiting, hiring, and firing of security staff
- Acts as the spokesperson for the information security team
CISSP
Certified Information Systems Security Professional
CISSP accreditation
CISM
GIAC
CISM -Certified Information Security manager
GIAC - Global Info. Assurance Certification
(ISC)2
International Information Systems Security Certification Consortium
is considered one the foremost organizations offering information security certifications today. Currently (ISC)2 offers three primary certifications and three specializations for its flagship certification.
CISSP - Certified Info Systems Security Professional
Concentrations of CISSP - Info Systems Security: Engineering Prof., Mgmt. Prof, and Architecture Prof.
SSCP - Systems Security Certified Practioner
Associate of ISC2
CAP - Certification and Accreditation Professional
ISACA Certifications
The Information Systems Audit and Control Association
Offers 2 certifications:
CISA - for auditing, networking, and security professionals
CISM - for info. security management professionals
Requisites:
- Successful completion of the requisite examination
- Experience as an information systems auditor, with a minimum of five years’ professional experience in an area of direct interest to the certification
- Agreement to the ISACA Code of Professional Ethics
- Continuing education policy that requires maintenance fees and a minimum of twenty contact hours of continuing education each year and a minimum of 120 contact hours over the three-year certification period
CISA
ISACA
Certified information systems auditor
CISM
ISACA
Certified Info Security Manager
GIAC
Global Information Assurance Certification
Org: SANS
Job Descriptions and Info Sec
Do not advertise access to sensitive information in the job description
Background Checks components
Types of checks
- Identity
- Education and credential
- Previous employment verification
- Reference
- Worker’s compensation history
- Motor vehicle records
- Drug history
- Credit history
- Civil court history
- Criminal court history
Terminating an employee
tasks that must be performed from an IS perspective:
- Access to org’s systems must be disabled
- Removable media must be returned
- Hard drives must be secured
- File cabinet locks must be changed
- Office door locks must be changed
- Keycard access must be revoked
- Personal effects must be removed from the org’s premises
Escorting off the premises.
Hostile vs. friendly departures
exit interviews
NDAs reminder (civil or criminal prosecution), feedback, etc.
Separation of duties
important for protecting information assets, specially financial assets.
General categories of functions to be separated:
- authorization function
- recording function, e.g. preparing source documents or code or performance reports
- custody of asset whether directly or indirectly, e.g. receiving checks in mail or implementing source code or database changes.
- reconciliation or audit
- splitting one security key in two (more) parts between responsible persons
two-person control
two-person control - requiring two individuals to review and approve each other’s work before the task is categorized as done/finished.
job rotation or task rotation
the requirement that every employee be able to perform the work of another employee. If it is not feasible that one employee learn the entire job of another, then the organization should at least try to ensure that for each critical task it has multiple individuals on staff who are capable of performing it.
Mandatory vacations
A mandatory vacation, of at least one week, provides the organization with the ability to audit the work of an individual. Individuals who are stealing from the organization or otherwise misusing information or systems are, in general, reluctant to take vacations, for fear that their actions will be detected.
least-privilege
principle
employees should be provided access to the minimal amount of information for the minimal amount of time necessary for them to perform their duties. In other words, there is no need for everyone in the organization to have access to all information.
