Security and Personnel

Slides:



Advertisements
Similar presentations
IT Web Application Audit Principles Presented by: James Ritchie, CISA, CISSP….
Advertisements

© Prentice Hall CHAPTER 15 Managing the IS Function.
Introduction When implementing information security, there are many human resource issues that must be addressed Positioning and naming of the security.
So You Want to Break Into the Industry… SAS No. 94 Requirements and Issues Related to IT Audits for Not-for-Profit Organizations.
MANAGEMENT of INFORMATION SECURITY Second Edition.
Internal Audit Awareness
StanSource Inc. is Information Technology services and solutions providing organization engaged in providing a full range of solutions and services to.
INFORMATION SECURITY MANAGEMENT L ECTURE 10: P ERSONNEL & S ECURITY You got to be careful if you don’t know where you’re going, because you might not get.
CISA/CISM Programs DoD and Component Overview June 29, 2006.
Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
ISEB Qualifications an evolving framework for the future.
Hands-On Ethical Hacking and Network Defense
Security Controls – What Works
ISA 562 Summer Information Security Management CISSP Topic 1 ISA 562 Internet Security Theory and Practice.
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
Principles of Information Security, 3rd Edition2 Introduction  When implementing information security, there are many human resource issues that must.
MANAGEMENT of INFORMATION SECURITY Second Edition.
Information Systems Security Officer
Security and Personnel
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
Oracle Database Administration. Rana Almurshed 2 course objective After completing this course you should be able to: install, create and administrate.
Security Organization
Security Certification
Chapter 2 Modern Private Security
Principles of Information Security, 2nd Edition2 Learning Objectives Upon completion of this material, you should be able to:  Understand where and how.
Management of Information Security, 4th Edition
Principles of Information Security, Fourth Edition
Certification and Training Presented by Sam Jeyandran.
SEC835 Database and Web application security Information Security Architecture.
Principles of Information Security, Fifth Edition
WORKING EFFECTIVELY IN AN INFORMATION TECHNOLOGY ENVIRONMENT
Introduction to Security
OVERVIEW OF INFORMATION SYSTEM (IS) AUDITING NORHAFIZAH BINTI ABDUL MUDALIP YAP YONG TECK TAN YUAN JUE TAY QIU JIE GROUP MEMBER:
Nata Raju Gurrapu Agenda What is Information and Security. Industry Standards Job Profiles Certifications Tips.
Chapter 4 of the Executive Guide manual
CISSP Thomas Moore. Thomas Moore, Ph.D., EMBA BCSA BCSP LCNAD CISM CISSP LMNOP (Licensed Microsoft Network Operations Professional) B.S. No, really, in.
Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.
CISSP Best Practices Guide to the Basics of Certified Information Systems Security Professional 1 The Certified Information System Security Professional.
Hosted by Staffing Security Positions How To Choose The Right Personnel Jeffrey Posluns, CISA, CISSP, SSCP, CCNP, GSEC SecuritySage Inc.
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
Information Security 14 October 2005 IT Security Unit Ministry of IT & Telecommunications.
ORGANIZING IT SERVICES AND PERSONNEL (PART 1) Lecture 7.
Placing Information Security within an Organization
SecSDLC Chapter 2.
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
Company: Cincinnati Insurance Company Position: IT Governance Risk & Compliance Service Manager Location: Fairfield, OH About the Company : The Cincinnati.
Chapter 8 Auditing in an E-commerce Environment
Chapter 9 The People in Information Systems. Learning Objectives Upon successful completion of this chapter, you will be able to: Describe each of the.
Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.
MANAGEMENT of INFORMATION SECURITY Second Edition.
INFORMATION SECURITY MANAGEMENT L ECTURE 2: P LANNING FOR S ECURITY You got to be careful if you don’t know where you’re going, because you might not get.
SY0-401 CompTIA Security+ Certification Pass CompTIA Security+ Certification Exam By The Help Of Exams4Sure Get Complete File From
Information Security Principles and Practices by Mark Merkow and Jim Breithaupt Chapter 3: Certification Programs and the Common Body of Knowledge.
Chapter 15 Telecommunication Department Management.
CITA 352 Chapter 1 Ethical Hacking Overview. Introduction to Ethical Hacking Ethical hackers –Hired by companies to perform penetration tests Penetration.
MANAGEMENT of INFORMATION SECURITY, Fifth Edition.
MS in IT Auditing, Cyber Security, and Risk Assessment
IS4680 Security Auditing for Compliance
Chapter 2 Modern Private Security
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
CISSP TRAINING IN.
Careers in IT.
Description of Revision
CIS 349 Competitive Success/snaptutorial.com
CIS 349 Education for Service/snaptutorial.com
CIS 349 Teaching Effectively-- snaptutorial.com
CS 490/CIS 790 Information System Security
~ 20% of employees are military veterans.
Presentation transcript:

Security and Personnel Chapter 11

Positioning & Staffing Security Function Location of IS function within organization function IT function as a peer or other IT functions (help desk) Physical security Administrative services function – peer to HR Insurance and risk management function Legal department Balance between access and security

Staffing IS Function Demand More openings than qualified candidates Needs of organization for better hiring practices Knowledge of skills and qualification needed Knowledge of budgetary needs of IS function and associated positions Appropriate level of influence and prestige necessary to perform function

What Security Personnel Should Know How an organization operates at all levels. That IS security is usually a mgmt problem & seldom exclusively technical problem How to work with people The role of policy in guiding security functions Most IT technologies (not as expert but as generalist) Terminology of IT and IS How to protect an org’s assets from security attacks How business solutions can be applied to solve problems Strong communications and writing skills

Entry in the IS Professional IT technical people Networking experts Programmers Database administrators System Administrators Non technical Ex-law enforcement Military personnel

Classification of positions Definers Provide policies, guidelines and standards Do consulting and risk assessment Develop the product and technical architectures Senior people with broad knowledge (not depth( Builders Techies Create and install security solutions Administrators Operate and administer the security tools Monitor Day-to-day work

Chief Information Security Officer Manages overall info security program Drafts or approves info security policies Works with CIO with strategic plans Develops tactical plans Works with security mgmt on operational plans Budgeting Sets priorities for purchase & implementation on security projects Security personnel hiring and firing Spokesperson for the info security team

Security Manager Develop and manage info security programs & control systems Monitor performance of info security & control system for alignment w/policy Prepare & communicate risk assessment Represent management in change management process Incident response Disaster recovery Supervision

IT Security Compliance Manager Develop & manage IT security compliance pgm Develop security standards in line with industry standards Identify IT related business risk Manage and conduct IT security compliance reviews Conduct investigation

Security Technician Technically qualified Able to configure IDS, firewalls etc Able to implement security measures Entry level Generally must have experience Tend to be specialized in one technical area

Certifications Certified Information Systems Security Professional (CISSP) Must possess 3 full-time security professional work Considered most prestigious Covers 10 domains Access control Application security Business continuity and disaster recovery planning Cryptography Information security and risk management Legal, regulations, compliance and investigations Operations security Physical security Security architecture and design Telecommunications and network security

Certifications Systems Security Certified Practitioner Recognizes mastery of an international standard and body of knowledge Oriented toward the security administrator Focuses on practices, roles and responsibilities 7 domains Access controls Cryptography Malicious code and activity Monitoring and analysis Networks and communications Risks, response and recovery Security operations and administration

Certificates Associate of (ISC)2 Geared toward those wanting to take CISSP or SSCP Lack requisite experience Test required Certification and Accreditation Professional (CAP) Minimum of 2 years experience in 1+ of areas of common body of knowledge domains Pass the CAP exam Agree to Code of Ethics Provide background and criminal history

Certifications Certified Information Systems Auditor (CISA) Pass exam Areas IS auditing process IT governance Systems and Infrastructure lifecycle IT service delivery and support Protection of information assets Business and disaster recovery

Certifications Certified Information Systems Manager (CISM) Information Security governance Information risk management Information security program development Information security program management Incident management and response

Certifications Global Information Assurance Certification (GIAC) Security Certified Professional (SCP) Security+ Certified Information Forensic Investigator Various company certifications

Advice for IS Professionals Business before technology When evaluating a problem Look at source of problem first Determine factors impacting problem Check organizational policy for direction Use technology to deploy necessary controls Your job is to protect the orgs information assets Be heard and not seen Know more than you say and be more skillful than you let on Speak to users not at them Your education is never complete

Personnel Precautions Background investigations Conducted for all employees prior to hiring Scope varies with position Extremely sensitive positions – conduct periodically Require written permission as terms of employment

Personnel Precautions Monitoring of employee activity Internet usage Surveillance cameras in sensitive areas Recording telephone conversations Mandatory vacations Exit procedures for employees leaving company