INFORMATION SECURITY MANAGEMENT L ECTURE 10: P ERSONNEL & S ECURITY You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi Berra
Introduction Maintaining a secure environment requires that the InfoSec department be carefully structured and staffed with appropriately credentialed personnel Proper procedures must be integrated into all human resources activities
Qualifications and Requirements – Recognizing that InfoSec is a management task that cannot be handled with technology alone – Acknowledging the role of policy in guiding security efforts – Understanding of the essential role of information security education and training – Perceive the threats facing an organization – Understanding how to apply technical controls
Information Security Positions Types of Information security positions – Definers – Builders – Administrators Common Positions CISO Security Mgr Security Technician
Information Security Professional Credentials Many organizations rely on professional certifications Employers struggle to match certifications to position requirements Certifying bodies work to educate their constituent communities on the value and qualifications of their certificate recipients
(ISC) 2 Certifications - CISSP – InfoSec common body of knowledge Access Control Application Security Business Continuity and Disaster Recovery Planning Cryptography Information Security and Risk Management Legal, Regulations, Compliance and Investigations Operations Security Physical (Environmental) Security Security Architecture and Design Telecommunications and Network Security
(ISC) 2 Certifications (cont’d.) Systems Security Certified Practitioner – Focuses on practices, roles, and responsibilities covering seven domains: Access controls Analysis and monitoring Cryptography Malicious code Networks and Telecommunications Risk, Response and Recovery Security Operations and Administration
(ISC) 2 Certifications (cont’d.) ISSAP®: Information Systems Security Architecture Professional – Access control systems and methodology – Telecommunications and network security – Cryptography – Requirements analysis and security standards, guidelines, criteria – Technology-related business continuity planning and disaster recovery planning – Physical security integration
(ISC) 2 Certifications (cont’d.) ISSEP®: Information Systems Security Engineering Professional ISSMP®: Information Systems Security Management Professional
Global Information Assurance Certification GIAC Certifications – Information security fundamentals (GISF) – Security essentials certification (GSEC) – Certified firewall analyst (GCFW) – Certified intrusion analyst (GCIA) – Certified incident handler (GCIH) – Certified Windows security administrator (GCWN) – Certified UNIX security administrator (GCUX) – Certified forensics analyst (GCFA)
Global Information Assurance Certification (cont’d) GIAC Certifications (cont’d.) – Securing Oracle Certification (GSOC) – Intrusion Prevention (GIPS) – Cutting Edge Hacking Techniques (GHTQ) – Web Application Security (GWAS) – Reverse Engineering Malware (GREM) – Assessing Wireless Networks (GAWN)
Security+ The CompTIA Security+ certification – Tests for security knowledge mastery – Must have two years of on-the-job networking experience with emphasis on security – Exam covers industry-wide topics including: Systems security (21%) Network infrastructure (20%) Access control (17%) Assessments & audits (15%) Cryptography (15%) Organizational Security (12%)
Certification Costs Preferred certifications can be expensive Certifications recognize experts in their respective fields Certifications recognize experts in their respective fields Most examinations: – Require between two and three years experience – Structured to reward candidates who have significant hands-on experience
Employment Policies and Practices Management should integrate solid information security concepts – Across all of the organization’s employment policies and practices – Including information security responsibilities into every employee’s job description and subsequent performance reviews
Security as Part of Performance Evaluation Organizations should incorporate information security components into employee performance evaluations
Termination Issues When an employee leaves an organization, the following tasks must be performed: – Disable access to the organization’s systems – Return all removable media – Hard drives must be secured – File cabinet and door locks must be changed – Keycard access must be revoked – Personal effects must be removed – Escort the former employee from the premises
Termination Issues: Hostile Departure – Security cuts off all logical and keycard access before the employee is terminated – The employee reports for work, and is escorted into the supervisor’s office to receive the bad news – The individual is then escorted from the workplace and informed that his or her personal property will be forwarded, or is escorted to his or her office, cubicle, or personal area to collect personal effects
Termination Issues: Friendly Departure – The employee may have tendered notice well in advance of the actual departure date – Employee accounts are usually allowed to continue, with a new expiration date – The employee can come and go at will Usually collects any belongings and leaves without escort, dropping off all organizational property before departing
Termination Issues In either circumstance: – Offices and information used by departing employees must be inventoried, their files stored or destroyed, and all property returned to organizational stores – Departing employees may have collected and taken home information or assets that could be valuable in their future jobs – Scrutinizing system logs may allow an organization to determine whether a breach of policy or a loss of information has occurred
Personnel Security Practices Methods of monitoring and controlling employees – Separation of duties – Two-man control – Job rotation – Task rotation
Security of Personnel and Personal Data Organizations are required by law to protect sensitive or personal employee information – Responsibility extends to customers, patients, and anyone with whom the organization has business relationships Personnel data is no different than other data that information security is expected to protect – But more regulations cover its protection
Security Considerations for Nonemployees Many individuals who are not employees often have access to sensitive organizational information
Security Considerations for Nonemployees Temporary workers Not employed by the organization for which they’re working May not be subject to the contractual obligations or policies that govern employees Unless specified in its contract with the organization, the temporary agency may not be liable for losses caused by its workers Access to information should be limited to what is necessary to perform their duties
Security Considerations for Nonemployees Contract employees Know what they need access to Not all contractors need universal access Regulations for service agreements or contracts: – Require 24 to 48 hours’ notice – Require all on-site personnel to undergo background checks – Require advance notice for cancellation or rescheduling of a maintenance visit
Security Considerations for Nonemployees (cont’d.) Consultants – Have their own security requirements and contractual obligations – Protecting your information may not be their number one priority – Apply the principle of least privilege