Slide 1  ‘I will take fifty percent efficiency to get hundred percent loyalty” Samuel Goldwyn.

Slides:



Advertisements
Similar presentations
Work-based learning Click on the speaker on each slide to learn more!
Advertisements

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
Introduction When implementing information security, there are many human resource issues that must be addressed Positioning and naming of the security.
MANAGEMENT of INFORMATION SECURITY Second Edition.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
HIPAA Privacy Rule Training
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
NAU HIPAA Awareness Training
Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.
Security and Personnel
Termination Decisions and Meetings Training for Supervisors
CSE 4482: Computer Security Management: Assessment and Forensics
INFORMATION SECURITY MANAGEMENT L ECTURE 10: P ERSONNEL & S ECURITY You got to be careful if you don’t know where you’re going, because you might not get.
Job Descriptions Presented by: Peggy Accuardi Compensation 1.
Security Controls – What Works
Information Security Policies and Standards
Laboratory Personnel Dr/Ehsan Moahmen Rizk.
Principles of Information Security, 3rd Edition2 Introduction  When implementing information security, there are many human resource issues that must.
General Security Principles and Practices Chapter 3.
SECURITY CONSIDERATIONS FOR COMPUTER PERSONNEL Tom Richards, Steve Guynes and Wayne Spence April 12, 2010.
MANAGEMENT of INFORMATION SECURITY Second Edition.
Stephen S. Yau 1CSE Fall 2006 Personnel Security.
Security and Personnel
Session 3 – Information Security Policies
Safety and Health Programs
Principles of Information Security, 2nd Edition2 Learning Objectives Upon completion of this material, you should be able to:  Understand where and how.
Computer Security: Principles and Practice
OH 5-1 Hiring and Orienting New Employees Human Resources Management and Supervision 5 OH 5-1.
MANA 4328 Dennis C. Veit Human Resource Staffing and Performance Management “Beginning the Staffing Process” MANA 4328 Dennis C. Veit
Principles of Information Security, Fourth Edition
Internal Auditing and Outsourcing
Outline Welcome & Introductions Secretarial Management Guide Privacy Update EPR Education Index.
Principles of Information Security, Fifth Edition
Module 3 Develop the Plan Planning for Emergencies – For Small Business –
Personnel Management SAND No C Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United.
HIPAA PRIVACY AND SECURITY AWARENESS.
VIRTUAL BUSINESS RETAILING
Principle of Management
Introduction to Security
Chapter 8 HUMAN RESOURCE POLICIES AND RESOURCES. “Eighty percent of success is showing up.” Woody Allen.
Atholton Elementary Parent Volunteers and Confidentiality Training
Information Systems Security Operational Control for Information Security.
Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.
Introduction Research indicates benefits to companies who establish effective worker safety and health programs: –Reduction in the extent and severity.
Professionalism, 3 rd Edition Lydia E. Anderson & Sandra B. Bolt © 2013 by Pearson Higher Education, Inc Upper Saddle River, New Jersey All Rights.
Human Resource Security ISO/IEC 27001:2013
1 Performance Management and Appraisal Chapter 9.
Is Your Background Check Process Compliant?. 2 © Copyright 2015 ADP, LLC. Proprietary and Confidential Information. Agenda Privileged & Confidential.
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
Privacy Act United States Army (Managerial Training)
Chapter 3 COMMON LAW ISSUES. There are various areas of common law liability in employment law Misrepresentation by Candidates: dismissal is only acceptable.
AREA REP SUPPORT SKILLS A. 2 This is intended as beginning training only. It is assumed that all Area Reps will continue with Support Skills B, as well.
MANAGEMENT of INFORMATION SECURITY Second Edition.
Unit 3 Seminar.  Used to predict acceptable or unacceptable behavior  Helps to assess level of skills/knowledge/ characteristics applicants have  Reduce.
JOB DESCRIPTIONS 1. Overview Regardless of the size or complexity of an organization, good job descriptions are vital management tools and important documents.
Managing Information Security Personnel By Christopher Boehm.
Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.
MANAGEMENT of INFORMATION SECURITY, Fifth Edition.
Properly Safeguarding Personally Identifiable Information (PII) Ticket Program Manager (TPM) Social Security’s Ticket to Work Program.
South Carolina AHEC Health Careers Academy
MANAGING HUMAN RESOURCES
Personal Security Chapter :7
Staffing and Training Skills
Maintaining the Personnel File
From Exam Room to Courtroom
Best Practices in Maintaining Personnel Files
CONTRACTS PRIVILEGED COMMUNICATION PRIVACY ACT
CONTRACTS PRIVILEGED COMMUNICATION PRIVACY ACT
Performance Management and Appraisal
Presentation transcript:

Slide 1  ‘I will take fifty percent efficiency to get hundred percent loyalty” Samuel Goldwyn

Slide 2 PERSONNEL AND SECURITY  Upon completion of this chapter, you should be able to: –Identify the skills and requirements for information security positions –Recognize the various information security professional certifications, and identify which skills are encompassed by each –Understand and implement information security constraints on the general hiring processes –Understand the role of information security in employee terminations –Describe the security practices used to control employee behavior and prevent misuse of information

Slide 3 Introduction  Maintaining a secure environment requires that the InfoSec department be carefully structured and staffed with appropriately credentialed personnel  It also requires that the proper procedures be integrated into all human resources activities, including hiring, training, promotion, and termination practices

Slide 4 Staffing the Security Function (continued)  To move the InfoSec discipline forward: –The general management community of interest should learn more about the requirements and qualifications for both information security positions and relevant IT positions –Upper management should learn more about information security budgetary and personnel needs –The IT and general management communities of interest must grant the information security function (and CISO) an appropriate level of influence and prestige

Slide 5 Qualifications and Requirements  When hiring information security professionals at all levels, organizations frequently look for individuals who have the following abilities: –Understand how organizations are structured and operated –Recognize that InfoSec is a management task that cannot be handled with technology alone –Work well with people in general, including users, and communicate effectively using both strong written and verbal communication skills –Acknowledge the role of policy in guiding security efforts

Qualifications and Requirements (continued)  When hiring information security professionals at all levels, organizations frequently look for individuals who have the following abilities (continued): –Understand the essential role of information security education and training, which helps make users part of the solution, rather than part of the problem –Perceive the threats facing an organization, understand how these threats can become transformed into attacks, and safeguard the organization from information security attacks –Understand how technical controls can be applied to solve specific information security problems Slide 6

Slide 7 Qualifications and Requirements (continued)  When hiring information security professionals at all levels, organizations frequently look for individuals who have the following abilities (continued): –Demonstrate familiarity with the mainstream information technologies, including the various operating systems: Disk Operating System (DOS), Windows NT/2000, Linux, and UNIX –Understand IT and InfoSec terminology and concepts

Slide 8 Common Background Checks  Identity checks: personal identity validation  Education and credential checks: institutions attended, degrees and certifications earned, and certification status  Previous employment verification: where candidates worked, why they left, what they did, and for how long  Reference checks: validity of references and integrity of reference sources

Common Background Checks (continued)  Worker’s compensation history: claims from worker’s compensation  Motor vehicle records: driving records, suspensions, and other items noted in the applicant’s public record  Drug history: drug screening and drug usage, past and present  Medical history: current and previous medical conditions, usually associated with physical capability to perform the work in the specified position Slide 9

Slide 10 Common Background Checks (continued)  Credit history: credit problems, financial problems, and bankruptcy  Civil court history: involvement as the plaintiff or defendant in civil suits  Criminal court history: criminal background, arrests, convictions, and time served

Slide 11 Contracts and Employment  Once a candidate has accepted a job offer, the employment contract becomes an important security instrument  It is important to have these contracts and agreements in place at the time of the hire

Slide 12 Security as Part of Performance Evaluation  To heighten information security awareness and change workplace behavior, organizations should incorporate information security components into employee performance evaluations  Employees pay close attention to job performance evaluations, and including information security tasks in them will motivate employees to take more care when performing these tasks

Management of Information Security, 2nd ed. - Chapter 10 Slide 13 Termination Issues  When an employee leaves an organization, the following tasks must be performed: –The former employee’s access to the organization’s systems must be disabled –The former employee must return all removable media –The former employee’s hard drives must be secured –File cabinet locks must be changed –Office door locks must be changed –The former employee’s keycard access must be revoked –The former employee’s personal effects must be removed from the premises –The former employee should be escorted from the premises, once keys, keycards, and other business property have been turned over

Termination Issues (continued)  In addition to performing these tasks, many organizations conduct an exit interview to remind the employee of any contractual obligations, such as nondisclosure agreements, and to obtain feedback on the employee’s tenure in the organization  Two methods for handling employee out processing, depending on the employee’s reasons for leaving, are hostile and friendly departures Slide 14

Slide 15 Hostile Departure  Security cuts off all logical and keycard access, before the employee is terminated  The employee reports for work, and is escorted into the supervisor’s office to receive the bad news  The individual is then escorted from the workplace and informed that his or her personal property will be forwarded, or is escorted to his or her office, cubicle, or personal area to collect personal effects under supervision  Once personal property has been gathered, the employee is asked to surrender all keys, keycards, and other organizational identification and access devices, PDAs, pagers, cell phones, and all remaining company property, and is then escorted from the building

Slide 16 Friendly Departure  The employee may have tendered notice well in advance of the actual departure date, which can make it much more difficult for security to maintain positive control over the employee’s access and information usage  Employee accounts are usually allowed to continue, with a new expiration date  The employee can come and go at will and usually collects any belongings and leaves without escort  The employee is asked to drop off all organizational property before departing.

Slide 17 Termination Issues  In either circumstance, the offices and information used by departing employees must be inventoried, their files stored or destroyed, and all property returned to organizational stores  It is possible that departing employees have collected and taken home information or assets that could be valuable in their future jobs  Only by scrutinizing system logs during the transition period and after the employee has departed, and sorting out authorized actions from system misuse or information theft, can the organization determine whether a breach of policy or a loss of information has occurred

Slide 18 Personnel Security Practices  There are various ways of monitoring and controlling employees to minimize their opportunities to misuse information  Separation of duties is used to make it difficult for an individual to violate information security and breach the confidentiality, integrity, or availability of information

Slide 19 Figure 10-6 Personnel Security Controls

Slide 20 Personnel Security Practices  Job rotation is another control used to prevent personnel from misusing information assets  Job rotation requires that every employee be able to perform the work of at least one other employee  If that approach is not feasible, an alternative is task rotation, in which all critical tasks can be performed by multiple individuals

Slide 21 Personnel Security Practices (continued)  Both job rotation and task rotation ensure that no one employee is performing actions that cannot be knowledgeably reviewed by another employee  For similar reasons, each employee should be required to take a mandatory vacation, of at least one week per year  This policy gives the organization a chance to perform a detailed review of everyone’s work

Slide 22 Personnel Security Practices (continued)  Finally, another important way to minimize opportunities for employee misuse information is to limit access to information  That is, employees should be able to access only the information they need, and only for the period required to perform their tasks  This idea is referred to as the principle of least privilege

Personnel Security Practices (continued)  Similar to the need-to-know concept, least privilege ensures that no unnecessary access to data occurs  If all employees can access all the organization’s data all the time, it is almost certain that abuses—possibly leading to losses in confidentiality, integrity, and availability—will occur Slide 23

Slide 24 Security of Personnel and Personal Data  Organizations are required by law to protect sensitive or personal employee information, including personally identifying facts such as employee addresses, phone numbers, Social Security numbers, medical conditions, and even names and addresses of family members  This responsibility also extends to customers, patients, and anyone with whom the organization has business relationships

Security of Personnel and Personal Data (continued)  While personnel data is, in principle, no different than other data that information security is expected to protect, certainly more regulations cover its protection  As a result, information security procedures should ensure that this data receives at least the same level of protection as the other important data in the organization Slide 25

Slide 26 Security Considerations for Non-employees  Many individuals who are not employees often have access to sensitive organizational information  Relationships with individuals in this category should be carefully managed to prevent threats to information assets from materializing

Slide 27 Temporary Workers  Because temporary workers are not employed by the organization for which they’re working, they may not be subject to the contractual obligations or general policies that govern other employees  Unless specified in its contract with the organization, the temp agency may not be liable for losses caused by its workers  From a security standpoint, access to information for these individuals should be limited to what is necessary to perform their duties

Slide 28 Contract Employees  While professional contractors may require access to virtually all areas of the organization to do their jobs, service contractors usually need access only to specific facilities, and they should not be allowed to wander freely in and out of buildings  In a secure facility, all service contractors are escorted from room to room, and into and out of the facility

Contract Employees (continued)  Any service agreements or contracts should contain the following regulations: –The facility requires 24 to 48 hours’ notice of a maintenance visit –The facility requires all on-site personnel to undergo background checks –The facility requires advance notice for cancellation or rescheduling of a maintenance visit Slide 29

Slide 30 Consultants  Consultants have their own security requirements and contractual obligations.  They should be handled like contract employees, with special requirements, such as information or facility access requirements, being integrated into the contract before they are given free access to the facility.

 Just because you pay security consultants, it doesn’t mean that protecting your information is their number one priority.  Always remember to apply the principle of least privilege when working with consultants. Slide 31

Slide 32 Business Partners  Businesses sometimes engage in strategic alliances with other organizations to exchange information, integrate systems, or enjoy some other mutual advantage  A prior business agreement must specify the levels of exposure that both organizations are willing to tolerate  In particular, security and technology consultants must be prescreened, escorted, and subjected to nondisclosure agreements to protect the organization from intentional or accidental breaches of confidentiality

Slide 33 Business Partners (continued)  If the strategic partnership evolves into an integration of the systems of both companies, competing groups may be provided with information that neither parent organization expected –Nondisclosure agreements are an important part of any such collaborative effort  The level of security of both systems must be examined before any physical integration takes place, as system connection means that vulnerability on one system becomes vulnerability for all linked systems

Slide 34 Summary  Introduction  Staffing the Security Function  Information Security Professional Credentials  Employment Policies and Practices