Presentation is loading. Please wait.

Presentation is loading. Please wait.

Personnel and Security

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Personnel and Security"— Presentation transcript:

1 Personnel and Security
EECS 711 Philip Mein "Prakash" Pallavur Sankaranaraynan Annette Tetmeyer

2 Outline Introduction Staffing the Security Function
Information Security Professional Credentials Employment Policies and Practices Conclusion Questions 2 EECS 711 Spring 2008 Chapter 10 2

3 Introduction InfoSec department must be carefully structured and staffed with appropriately skilled and screened personnel Requires Human Resources to have the proper policies integrated into its procedures (hiring, training, promotion, and termination)‏ What to look for in personnel (certifications)‏ IT security job descriptions How to integrate InfoSec policies into an organizations hiring practices Blueprint will describe existing controls and identifies other necessary security controls. 3 EECS 711 Spring 2008 Chapter 10 3

4 Staffing the Security Function
Supply and Demand of qualified staff many economic forecasters expect the deferred demand to become active in the InfoSec field 4 EECS 711 Spring 2008 Chapter 10

5 Qualifications and Requirements
General management community of interest should learn more about the requirements and qualifications for both IT and InfoSec positions Upper management should learn more about InfoSec budgetary and personnel needs The IT and general management communities of interest must grant the InfoSec function an appropriate level of influence and prestige 5 EECS 711 Spring 2008 Chapter 10

6 Hiring InfoSec Professionals
Understand how organizations are structured and operated Recognize the InfoSec is a management task that cannot be handled with technology alone Work well with people in general (written and verbal)‏ Acknowledge the role of policy in guiding security efforts Understand the essential role of InfoSec education and training Perceive the threats facing an organization, understand how these threats can be transformed into attacks, and safeguard the organization from these attacks Understand how technical controls can be applied to solve specific information security problems Demonstrate familiarity with mainstream information technologies Understand IT and InfoSec terminology and concepts 6 EECS 711 Spring 2008 Chapter 10

7 Entering the InfoSec Profession
Traditional Career Path to InfoSec was from Technology or Military/Law enforcement Modern Path to InfoSec is from a security education background EECS 711 Spring 2008 Chapter 10

8 Information Security Positions
Complete job descriptions for InfoSec positions can be found in Charles Cresson Wood's book Information Security Roles and Responisibilities Made Easy Definers Provide the policies, guidelines and standards Do the consulting and risk assessment Develop the product and technical architectures Builders Techies who create and install security solutions Administrators Operate and administer the security tools Security monitoring function Continuously improve the process 8 EECS 711 Spring 2008 Chapter 10

9 InfoSec Positions CISO Security Manager Security Technician
Top InfoSec officer Must be conversant in all areas (technology, planning, and policy)‏ Responsible for the overall InfoSec program Security Manager Responsible for policy development, risk assessment, contingency planning, and operational and tatical planning Understanding of technology administered but not necessarily proficiency in its configuration or operation Security Technician Technically qualified individuals who configure and maintain security technology Are likely to be IT technicians who have adopted a different career path 9 EECS 711 Spring 2008 Chapter 10

10 Other Position Titles Many noninformation security job descriptions must define information security roles and responsibilities Community of interest with security roles and responsibilites Information Security Community IT Community General Business Community Building and Facilities Guard Office Maintenance Worker Human Resources Dept manager CFO CEO 10 EECS 711 Spring 2008 Chapter 10

11 Social Engineering An attacker uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems Top 4 hacking moments on film Independence Day: Using an old space ship as cover for two humans to infiltrate the alien mother ship and upload a virus to destroy it. Hackers: Dumpster diving in the target company's trash in order to obtain financial data from printouts. War Games: Password cracking the military computer system by studying its creator. Ferris Bueller's Day Off: Faking a grandmother's death to get Ferris's girlfriend excused from school through multiple phone calls and answering machine recordings. Sneakers: Intercepting the call from the security guard to bypass the alarm and rob the bank. <Sneakers> Question: Which of the above hacks did not employ a social engineering technique? 11 EECS 711 Spring 2008 Chapter 10

12 Social Engineering SE Attack Detection
Employees need to be trained to detect anomalies in conversation, , and pop-up windows SE Attack Prevention Preparation (SETA)‏ Table 10-3 SE Attack Defense Organizations should have an established procedure for reporting suspected SE attacks IR team should log attacks and treat them no differently than other attacks 12 EECS 711 Spring 2008 Chapter 10

13 Information Security Professional Credentials
Professional certifications ascertain the level of proficiency possessed by different candidates. Employers struggle to match certifications to position requirements. Potential infosec workers try to determine which certificates will help them in the job market EECS 711 Spring 2008 Chapter 10 13

14 Information Security Professional Credentials
The widely recognized certification programs are: Certified Information Systems Security Professional (CISSP) Systems Security Certified Practitioner (SSCP) Certified Information Systems Auditor (CISA) Certified Information Security Manager (CISM) Global Information Assurance Certification (GIAC) Security Certified Program (SCP) Security+ Certified Computer Examiner (CCE) Certified Forensics Investigator (CIFI) EECS 711 Spring 2008 Chapter 10 14

15 Certified Information Systems Security Professional (CISSP)
Considered the most prestigious certification for Security Managers and CISO’s. Offered by the International Information Systems Security Certification Consortium (ISC)2. Recognizes mastery of an internationally identified common body of knowledge (CBK) in information security. Candidates must have at least 3 years of direct, full-time security professional work experience. The test covers 10 domains of information security and consists of 250 multiple choice questions to be completed in 6 hours. EECS 711 Spring 2008 Chapter 10

16 Certified Information Systems Security Professional (CISSP)
The 10 domains of information security knowledge are: Access control systems and methodology Applications and systems development Business continuity planning Cryptography Law, investigation and ethics Operations security Physical security Security architecture and models Security management practices Telecommunications, network and Internet security EECS 711 Spring 2008 Chapter 10 16

17 Certified Information Systems Security Professional (CISSP)
CISSP certification requires the successful completion of the exam and an endorsement by a qualified 3rd party to ensure that the applicant meets the experience requirement. It is the most challenging of information security certifications. Holders of the CISSP must earn a specific number of continuing education credits every 3 years to retain their certification. EECS 711 Spring 2008 Chapter 10

18 Systems Security Certified Practitioner (SSCP)
Also offered by the (ISC)2. Less rigorous than the CISSP. More applicable to security managers than the technicians. Most of the questions focus on the operational nature of information security. Focuses on practices, roles and responsibilities as defined by experts from major IS industries. The SSCP exam consists of 125 multiple-choice questions covering 7 domains on information security to be completed in 3 hours. Spring 2008 EECS 711: Security Management and Audit EECS 711 Spring 2008 Chapter 10 18 18 18

19 Systems Security Certified Practitioner (SSCP)
The 7 domains are: Access controls Administration Audit and monitoring Risk, response and recovery Cryptography Data communications Malicious code/malware EECS 711 Spring 2008 Chapter 10 19

20 Systems Security Certified Practitioner (SSCP)
Like the CISSP, a SCCP holder must earn continuing credits to retain certification, or else retake the exam. Slightly more technical than the CISSP. EECS 711 Spring 2008 Chapter 10

21 CISSP Concentrations ISSAP: Information Systems Security Architecture Professional ISSEP: Information Systems Security Engineering Professional ISSMP: Information Systems Security Management Professional EECS 711 Spring 2008 Chapter 10

22 Certified Information Systems Auditor (CISA)
Not specifically a security certification but includes many information security components. Sponsored by the Information Systems Audit and Control Association (ISACA). Certification appropriate for auditing, networking and security professionals. Requires experience as an information systems auditor, with a minimum of 5 years professional experience. Requires agreement to the Code of Professional Ethics. Requires a minimum of 20 hours of continuing education annually and 120 hours during a fixed 3 year period. Adherence to the Information Systems Auditing Standards. EECS 711 Spring 2008 Chapter 10

23 Certified Information Systems Auditor (CISA)
The exam covers the following areas: IS audit process (10%) IT governance (15%) Systems and infrastructure lifecycle management (16%) IT service delivery and support (14%) Protection of information assets (31%) Business continuity and disaster recovery (14 %) EECS 711 Spring 2008 Chapter 10

24 Certified Information Security Manager (CISM)
Also offered by the ISACA. Geared towards the experienced information security manager and other with information security management responsibilities. This certification assures executive management that the candidate has the required background knowledge needed for effective security management and consulting. The exam is offered annually. Requires the applicant to adhere to ISACA code of ethics. Requires pursuing continuing education. Applicants must have at least 5 years of information security experience with at least 3 years in information security management. EECS 711 Spring 2008 Chapter 10

25 Certified Information Security Manager (CISM)
The CISM exam covers: Information security governance (21%) Risk management (21%) Information security program management (24%) Response management (13%) EECS 711 Spring 2008 Chapter 10

26 Global Information Assurance Certification (GIAC)
Developed by Systems Administration, Networking and Security (SANS) organization. Tests both for knowledge and applicants ability to demonstrate application of that knowledge. Offers the only advanced technical certifications. The GIAC family of certifications can be pursued independently or combined to earn a comprehensive certification called GIAC Security Engineer (GSE). Only when practical assignment is complete is the candidate allowed to take the online exam. GIAC now offers two types of certifications: Silver and Gold. EECS 711 Spring 2008 Chapter 10

27 Global Information Assurance Certification (GIAC)
Requirements for Silver certification: Completion of exams Full certifications require 2 exams; certificates require a single exam Requirements for Gold certification: Complete Silver certification Passing a technical paper review, the paper demonstrates real world, hands on mastery of security skills EECS 711 Spring 2008 Chapter 10

28 Global Information Assurance Certification (GIAC)
The individual GIAC certifications are as follows: GIAC Information Security Fundamentals (GISF) GIAC Security Essentials Certification (GSEC) GIAC Certified Firewall Analyst (GCFW) GIAC Certified Intrusion Analyst (GCIA) GIAC Certified Incident Handler (GCIH) GIAC Certified Windows Security Administrator (GCWN) GIAC Certified UNIX Security Administrator (GCUX) GIAC Certified Forensics Analyst (GCFW) GIAC Securing Oracle Certification (GSOC) GIAC Intrusion Prevention (GIPS) GIAC Cutting Edge Hacking Techniques (GHTQ) EECS 711 Spring 2008 Chapter 10 EECS 711 Spring 2008 Chapter 10 28

29 Security Certified Program (SCP)
SCP offers two tracks: Security Certified Network Professional (SCNP) and the Security Certified Network Architect (SCNA). Both designed for the security technician. While not as detailed as the GIAC certifications, these programs provide the knowledge needed to work in new areas of security, while developing a vendor neutral core of practitioner knowledge evaluation. The SCNP track targets firewalls & intrusion detection, and requires 2 exams: Hardening The Infrastructure (HTI) Network Defense & Countermeasures (NDC) The SCNA program includes the following: Enterprise Security Implementation (ESI) which covers: Advanced Security Implementation (ASI) Enterprise Security Solutions (ESS) The Solution Exam (TSE) covering all facets of the SCP courses EECS 711 Spring 2008 Chapter 10

30 Security+ Offered by CompTIA a vendor neutral certification program.
Tests for security knowledge mastery of an individual with 2 years on the job networking experience. CompTIA Security+ curricula is being taught at colleges, universities and commercial training centers. Exam covers industry-wide topics including: General Security Concepts Communication Security Infrastructure Security Basics of Cryptography Operational/Organizational Security EECS 711 Spring 2008 Chapter 10

31 Certified Computer Examiner (CCE)
Is a computer forensics certification provided by the International Society of Forensic Computer Examiners To complete the certification the applicant must: Have no criminal record Meet minimum experience, training or self-training requirements Abide by certification’s code of ethical standards Pass an online exam Successfully perform actual forensic exams on 3 test media EECS 711 Spring 2008 Chapter 10

32 Certified Computer Examiner (CCE)
The CCE certification process covers the following areas: Acquisition, marking, handling, and storage of evidence procedures Chain of custody Essential “core” forensic computer examination procedures The “rules of evidence” as they relate to computer examinations Basic PC hardware construction and theory Very basic networking theory Basic data recovery techniques Authenticating MS word documents and accessing and interpreting metadata Basic optical recording processes and accessing data on optical media Basic password recovery techniques Basic internet issues EECS 711 Spring 2008 Chapter 10

33 Certified Information Forensics Investigator (CIFI)
The Information Security Forensics Association (ISFA) is developing an examination for a Certified Information Forensics Investigator (CIFI). This program will evaluate expertise in tasks and responsibilities of a security administrator or security manager, including incident response, working with law enforcement, and auditing. EECS 711 Spring 2008 Chapter 10

34 Certified Information Forensics Investigator (CIFI)
Although the certification exam has not been finalized, the body of knowledge has been tentatively defined to include the following aspects of information security: Countermeasures Auditing Incident response teams Law enforcement and investigation Traceback Tools and techniques EECS 711 Spring 2008 Chapter 10

35 Certification Costs Certifications can be expensive.
The high costs deter those who might take the exam just to see if they can pass. Most experienced professionals find it difficult to do well on them without at least some review. Most programs require between 2 & 3 years of work experience. Often structured to reward candidates who have significant hands-on experience. EECS 711 Spring 2008 Chapter 10

36 Approaches to prepare for security certification
EECS 711 Spring 2008 Chapter 10

37 Employment Policies and Practices
EECS 711 Spring 2008 Chapter 10

38 Employment Policies and Practices
Hiring and Firing Contracts Personnel Security Practices Security Considerations for Nonemployees The general management community of interest should integrate solid information security concepts across all of the organization’s employment policies and practices. Including information security responsibilities into every employee’s job description and subsequent performance reviews can make an entire organization take information security more seriously. EECS 711 Spring 2008 Chapter 10

39 Hiring Job Descriptions Interviews New Hire Orientation
On-the-Job Security Training Security Checks Hiring concerns: background checks, certifications, policies, covenants and agreements, contracts Job Descriptions: review and update, when advertising omit elements that describe access privileges Interviews: security managers update HR on details regarding finding the right candidate, but advise on limiting info provided to candidates on access privileges. Avoid secure/restricted sites during tours to avoid providing enough info that could present a potential threat to the organization. New Hire Orientation: cover policies, security procedures, access levels, training on secure use of systems. Understand rights and responsibilities On-the-Job Security Training: formal/informal, internal/external ongoing training EECS 711 Spring 2008 Chapter 10

40 Security Checks Identity checks Education and credentials
Previous employment Reference checks EECS 711 Spring 2008 Chapter 10

41 Make sure to comply with regulations
Security Checks Worker’s compensation history Motor vehicle records Drug history Medical Credit Civil Court Criminal Court Make sure to comply with regulations Security Checks: always conduct background checks, regardless of job level. Must fully understand regulations/laws pertaining to security checks Seek legal counsel Level of detail and depth varies to determine trust level or security clearance. Credit reports can contain info about credit history, employment or other personal data May require written permission releases for financial reports Reports may contain only 7 years of info unless candidate earns more that $75K EECS 711 Spring 2008 Chapter 10

42 Contracts and Employment
Require employees to agree in writing by signing monitoring and nondisclosure agreements Sign before other employment contracts are made Existing employees may not be compelled to sign Monitoring and nondisclosure agreements (which include binding organizational policies) Sign as part of “employment contingent upon agreement” for new hires as existing employees may not be compelled to sign. After signing, other employment contracts may be executed. EECS 711 Spring 2008 Chapter 10

43 Security as Part of Performance Evaluations
How can performance evaluations be used to motivate employees concerning security practices? Use to motivate employees to take more care Heighten awareness and change workplace behavior EECS 711 Spring 2008 Chapter 10

44 Termination Issues Need to protect information to which an employee had access Disable system access Retrieve removable media Secure hard drives (network drives?) Change locks: file cabinets, offices, etc. Revoke keycard access Remove personal items Finally, escort from premises EECS 711 Spring 2008 Chapter 10

45 Termination Issues Conducting Exit Interviews
Remind of contractual obligations Discuss consequences if failure to comply with contractual obligations Gather feedback from employee Termination brings a level of risk exposure to the organization, regardless of level of trust in employee EECS 711 Spring 2008 Chapter 10

46 Immediate Severance Forgo the customary two-week notice
Sensitive areas or positions of trust may require this Do you have any experience with this? EECS 711 Spring 2008 Chapter 10

47 Outprocessing Hostile or friendly departure?
Hostile – termination, downsizing, lay-off, quitting Revoke system access first, then notify employee Collect sensitive items Escort from facility Hostile (usually involuntary): termination, downsizing, lay-off, quitting security cuts off all logical and keycard access escorted to retrieve personal items or personal items will be forwarded (possible written request required) No organizational property is allowed to leave premises including disks, pens, papers, books Surrender keys, keycards, organizational identification/access devices, PDAs, pagers, cell phones, other company property Escort from property EECS 711 Spring 2008 Chapter 10

48 Outprocessing Hostile or friendly departure?
Friendly – retirement, promotion, relocation May be a bit tricky to manage Set expirations dates for system access or phase out access Collect company assets Employees typically have more latitude in removing personal items Friendly (voluntary): Difficult to maintain security if employee is still working before departure Employee may be in charge of dropping off organizational property before departure EECS 711 Spring 2008 Chapter 10

49 Outprocessing Hostile or friendly departure?
For both scenarios complete the following: Inventory offices and info Archive, return to stores or destroy Review logs for possible system misuse (and follow-up as an incident if warranted) What do you do about materials at the employees home? EECS 711 Spring 2008 Chapter 10

50 Personnel Security Practices
Monitor and control employees to minimize opportunities for misuse of info Separation of duties Checks and balances mitigates collusion Two-person control Job and task rotation Mandatory vacations Least privilege Human RAID system Job rotation: requires that every employee be able to perform the work or at least one other employee Task rotation: if whole job rotation is not feasible, select critical tasks to be performed by multiple individuals Mandatory vacations: allows organization the chance to review employee work without the employee being around to conceal misuse Least privilege: limit access to information, ensures that no unnecessary access to data occurs EECS 711 Spring 2008 Chapter 10

51 Personnel Security Practices
EECS 711 Spring 2008 Chapter 10

52 Security of Personnel and Personal Data
Comply with laws regarding protecting sensitive or personal info (employees, customers, business partners, etc.) Names, addresses, phone numbers SSN Medical info There are more regulations that tend to cover this type of information EECS 711 Spring 2008 Chapter 10

53 Security Considerations for Nonemployees
Nonemployees may have access to sensitive info Need to carefully manage these relationships EECS 711 Spring 2008 Chapter 10

54 Temporary Workers Brought in to fill positions temporarily or to supplement workforce Usually retained through an outside agency Contractual obligations/polices may not apply or may not be enforceable Agencies may not be liable for lossses EECS 711 Spring 2008 Chapter 10

55 Temporary Workers To mitigate security concerns
Follow good security practices Clean desk Securing classified data Least privileges, limited access to data Temps should not be employed at the cost of sacrificing information security EECS 711 Spring 2008 Chapter 10

56 Contract Employees Hired to perform specific services via third party organizations Escort employees in secure areas Background check all employees Require advance notice for maintenance visits or cancellation/rescheduling EECS 711 Spring 2008 Chapter 10

57 Consultants Self-employed Hired for a specific task or project
Pre-screen and require nondisclosure agreements Explicitly give permissions to use company info for marketing/references Apply least privileges EECS 711 Spring 2008 Chapter 10

58 Business Partners Strategic alliances for the sake of:
Information exchange Systems integration Other mutual advantage Specify levels of exposure that the organization will endure What info will be exchanged? With whom? In what format? EECS 711 Spring 2008 Chapter 10

59 Business Partners System connection means that a vulnerability on one system becomes a vulnerability for all linked systems EECS 711 Spring 2008 Chapter 10

60 Conclusion Use standard job descriptions to increase the degree of professionalism in staffing Professional certifications help to identify levels of proficiency Integrate security concepts and practices into employment activities EECS 711 Spring 2008 Chapter 10 60 60

61 Questions EECS 711 Spring 2008 Chapter 10

62 References EECS 711 Spring 2008 Chapter 10

Download ppt "Personnel and Security"

Similar presentations

Introduction When implementing information security, there are many human resource issues that must be addressed Positioning and naming of the security.

Introduction When implementing information security, there are many human resource issues that must be addressed Positioning and naming of the security.
DoD Information Assurance Certification

DoD Information Assurance Certification
MANAGEMENT of INFORMATION SECURITY Second Edition.

MANAGEMENT of INFORMATION SECURITY Second Edition.
Management of Information Security Chapter 10 Personnel and Security

Management of Information Security Chapter 10 Personnel and Security
1 ITC358 ICT Management and Information Security Chapter 11 P ERSONNEL AND S ECURITY I’ll take fifty percent efficiency to get one hundred percent loyalty.

1 ITC358 ICT Management and Information Security Chapter 11 P ERSONNEL AND S ECURITY I’ll take fifty percent efficiency to get one hundred percent loyalty.
Security and Personnel

Security and Personnel
StanSource Inc. is Information Technology services and solutions providing organization engaged in providing a full range of solutions and services to.

StanSource Inc. is Information Technology services and solutions providing organization engaged in providing a full range of solutions and services to.
CSE 4482: Computer Security Management: Assessment and Forensics

CSE 4482: Computer Security Management: Assessment and Forensics
INFORMATION SECURITY MANAGEMENT L ECTURE 10: P ERSONNEL & S ECURITY You got to be careful if you don’t know where you’re going, because you might not get.

INFORMATION SECURITY MANAGEMENT L ECTURE 10: P ERSONNEL & S ECURITY You got to be careful if you don’t know where you’re going, because you might not get.
Hands-On Ethical Hacking and Network Defense

Hands-On Ethical Hacking and Network Defense
Security Controls – What Works

Security Controls – What Works
Principles of Information Security, 3rd Edition2 Introduction  When implementing information security, there are many human resource issues that must.

Principles of Information Security, 3rd Edition2 Introduction  When implementing information security, there are many human resource issues that must.
Managing the Information Technology Resource Jerry N. Luftman

Managing the Information Technology Resource Jerry N. Luftman
MANAGEMENT of INFORMATION SECURITY Second Edition.

MANAGEMENT of INFORMATION SECURITY Second Edition.
Security and Personnel

Security and Personnel
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
Security Certification

Security Certification
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Chapter 2 Modern Private Security

Chapter 2 Modern Private Security
Principles of Information Security, 2nd Edition2 Learning Objectives Upon completion of this material, you should be able to:  Understand where and how.

Principles of Information Security, 2nd Edition2 Learning Objectives Upon completion of this material, you should be able to:  Understand where and how.

Similar presentations

Ads by Google