Presentation is loading. Please wait.

Presentation is loading. Please wait.

McGraw-Hill/Irwin Copyright © 2007 by The McGraw-Hill Companies, Inc. All rights reserved. Information Assurance for the Enterprise: A Roadmap to Information.

Published bySharyl Atkinson Modified over 9 years ago

Similar presentations

Presentation on theme: "McGraw-Hill/Irwin Copyright © 2007 by The McGraw-Hill Companies, Inc. All rights reserved. Information Assurance for the Enterprise: A Roadmap to Information."— Presentation transcript:

1 McGraw-Hill/Irwin Copyright © 2007 by The McGraw-Hill Companies, Inc. All rights reserved. Information Assurance for the Enterprise: A Roadmap to Information Security, by Schou and Shoemaker Chapter 7 Personnel Security

2 7-2 Objectives Ensuring secure behavior Controls for the personnel function The role of human resources in ensuring personnel security Contractor control

3 7-3 Predictability Predictability is the key Information assurance process involves technology, processes, and people Any of these can cause a breakdown in the security, however: Technology is predictable - well-designed processes are, at least, consistent Human behavior is hard to predict and control Disastrous effects of employee-based actions: Organizations should have mechanisms in place to ensure the secure behavior of the employees

4 7-4 First Steps, First Origin of threats Threats that center on people: Outsiders – these threats are commonly recognized Insiders – fraud, misuse, theft, and human error More serious threat to information assets than outsiders Access and security control Establishing secure space defined by perimeters Established to ensure the confidentiality, integrity and availability of the information assets Perimeter control

5 7-5 First Steps, First Ensuring continuous practice Reliable and repeatable performance of approved security requirements Requirement for disciplined practice implies that attention must be paid to motivation Motivation requires awareness

6 7-6 Ensuring Personnel Security Behavior Personnel security behavior falls into three categories: Routine activities – individual actions to secure the space that they control from any threats Operational functions – activities that are performed to ensure the security of the entire system during day-to-day operation Management responsibilities – actions which guarantee that the information assurance and security strategy is implemented properly

7 7-7 Documenting Security Procedures Documentation ensures that security activities are recorded and properly understood Personnel security manual – used to communicate procedures Specifies actions required for ensuring personnel security Serves as a basis for feedback Serves as a mechanism to build and reinforce awareness of what has to be done Documents the corrective actions Members must be aware of the recommended practices that apply

8 7-8 Documenting Security Procedures At a minimum every documented procedure should specify the: Required steps to be taken and by whom Expected outcomes and some way to determine that they have been achieved Interfaces with other security procedures

9 7-9 Assignment of Individual Responsibility Selected managers should be responsible for ensuring that assigned information duties are carried out by: Assigning individual accountability to each worker Regular monitoring of routine information assurance and security operations Rule of thumb in assigning of responsibilities: Specific accountability for security duties must be delegated in writing to each individual involved Every designated worker must be trained and knowledgeable in all aspects used to perform the duties They should be kept up to date on all related practices used

10 7-10 Rules of Behavior Users must be aware of acceptable behavior and understand the consequences of noncompliance Consequences should be spelled out and enforced through a set of rules of behavior They should be in writing They should delineate the responsibilities and expectations for each individual clearly Everyone should understand the rules before they are allowed access They have to be rigorous to ensure security, while giving enough flexibility to perform the jobs properly

11 7-11 Rules of Behavior Rules of behavior should define the organizationally sanctioned response to such concerns as: Individual accountability Assignment and limitation of system privileges Networking and use of the Internet

12 7-12 Role of Awareness and Training Training is an effective countermeasure Ensures that users are well versed in the system’s technical and procedural controls Scheduled, periodic refresher training Specialized training for members who are responsible for maintaining the functions Level of depth and intensity of training should be linked to potential risk and degree of associated harm Should support the users and help them understand how to obtain help when security incidents occur

13 7-13 Role of Awareness and Training Goal of an awareness or training program Ensure an acceptable level of knowledge about information assurance practice for all who work in the secured space Most effective when presented in logical modules or learning stages Cost effective training in the form of interactive computer-based (CBT) training sessions Modern training philosophy leans toward “just-in-time” and “blended” learning approaches

14 7-14 Planning: Ensuring Reliable Control over Personnel Success of the information assurance function rests on the ability to guarantee a minimum level of formal control over personnel Control is defined by a plan Decision makers evaluate information and prepare concrete strategies to mitigate them Aim is to: Ensure that adverse personnel actions are anticipated Reliably controlled by establishing a clearly recognized and understood safeguard

15 7-15 Control Principles Protecting the organization from employee error or misuse with the use of three principles: Individual accountability Everyone should be held responsible for his or her actions Least privilege Restricting a user’s access to the minimum level of access needed to perform his or her job Separation of duties Distribution of the actions to perform a single function among a number of individuals

16 7-16 Personnel Screening Assures that the individuals with access to protected information are not security risks Employed where the information is considered sensitive enough that controls cannot assure security Should be done proportionate to the potential risk and magnitude of harm that might originate from a violation of a classification requirement

17 7-17 Planning for Personnel Assurance Most effective if selected controls and related procedures are embedded in day-to-day operations Achieved by making personnel security planning part of the overall strategic planning function Ensures that the level of personnel security control corresponds to the likelihood of harm Two areas must be addressed by personnel security plans: Define the procedures required to ensure security through the staffing function Provide procedures to ensure that the access for each type of employee is always monitored and controlled

18 7-18 Security and the Human Resources Function The control points for employee hiring can be divided into four stages in the process:

19 7-19 Job Definition Embed a set of information assurance and security requirements into the standard task requirements for the position Decide where each position fits in the hierarchy of the organization Spell out the degree of authority and responsibility for each position Determine the access rights and the level of trust required for every position Document the type of sensitivity and associated level of access required for the work

20 7-20 Assignment of Required Trust Specification of trust requirements Based on the level of trust and sensitivity requirements Access to different information assets implies different types of restrictions Information assurance and security controls should be assigned to regulate each position Based on the potential risks and damage likely to ensue if there were a information assurance breakdown associated with that role

21 7-21 Background Screening and Hiring Confirms that prospective employee fits the information assurance criteria for a given position Factors that should be examined include: Work history Credit history Educational history Interview or psychographic data Any public evidence of addictive behavior

22 7-22 Employee Awareness Training and Education Provide information assurance and security awareness training, and even formal education Communicate an understanding of the procedures required of that position

23 7-23 United States Government Training Standards Public Law 100-235 “Each Federal agency shall provide for the mandatory periodic training in computer security awareness and accepted computer security practice of all employees who are involved with the management, use, or operation of each Federal computer system within or under the supervision of that agency.” FISMA – The E-Government Act (Public Law 107-347) Recognized the importance of information security to the economic and national security interests of the United States Motivated the establishment of the National Institute for Standards and Technology (NIST) and the Committee for National Security Systems (CNSS)

24 7-24 United States Government Training Standards NIST Standards SP 500-172: Computer Security Training Guidelines SP 800-16: Information Technology Security Training Requirements SP 800-53: Recommended Security Controls for Federal Information Systems CNSS Training Standards Information Security Professionals Senior Systems Manager System Administrators Information System Security Officers System Certifiers Risk Analyst System Security Engineer

25 7-25 United States Government Training Standards DHS and NSA Academic Certification To certify that the curricula of academic institutions meet required standards National Information Assurance Education and Training Program (NIETP) Encourages and recognizes universities through its Centers of Academic Excellence in IA Education (CAE) program

26 7-26 Private Sector Security Certification Standards No recognized common body of knowledge to use as a point of reference in the development and refinement of accepted practices Range of organizations has sprung up to promote their own view of proper practice Commercial organizations specializing in training for particular technological applications Non-profit organizations, whose certifications are broadly based, such as the: Information Systems Audit and Control Association (ISACA) International Information Systems Security Certification Consortium [(ISC)2]

27 7-27 Assigning Value to Certification Certification is the result of a process Some of the decision criteria that would help provide an accurate picture of the value of a certification are: How long has the certification been in existence? Does the certifying organization’s process conform to established standards? Is the organization ISO/IEC 17024 certified? How many people hold the certification? How widely respected is the certification? Does the certificate span industry boundaries? What is the probability that 5 or 10 years from now, the certificate will still be useful? Does the certification span geographic boundaries?

28 7-28 Controlling Access of Employees and Contractors to Restricted Information Sound personnel security program must: Define the rules that regulate the access of employees to restricted information Ensure that access is defined and controlled Use the following six factors to determine the shape and outcome of that process: User account management Audit and management review procedures Detection of and response to unauthorized activities Friendly termination Unfriendly termination Knowing your contractors

29 7-29 User Account Management Encompasses the practices that an organization employs to: Establish, issue, and close the accounts of individual employees Track employee access behavior Track individual employee access authorizations Manage the employee access control operation

30 7-30 User Account Audit and Management Review Regular and systematic reviews of user accounts Use of those accounts has to be monitored by personal inspection Reviews should verify five user characteristics: Level of access is appropriate to assigned level of privilege for each application Level of access assigned conforms with the concept of least privilege Accounts assigned are active and appropriate to the employee’s job function Management authorizations are up to date Required training has been completed

31 7-31 Detecting Unauthorized/Illegal Activities Procedures should be in place to address employee fraud or misuse Countermeasures employed in this area are frequently based on software-enabled monitoring functions IDSs perform that monitoring function by either: Pattern matching: matching system behavior with known patterns of misuse or violation Anomaly detection: set to detect anomalous behavior with respect to a baseline of normal operation Procedural methods to detect unauthorized or illegal activity such as: Direct auditing of system logs Procedural analysis using audit trails to detect fraudulent actions

32 7-32 Friendly Termination Assurance under friendly termination A set of standard procedures to guide outgoing or transferring employees Implemented as part of standard human resources function Ensure that user account privileges are removed from the system in a timely manner Removal of access privileges, computer accounts, authentication tokens Assurance of the continued integrity and availability of data in accounts that each access privilege was granted for Briefing on the continuing responsibility for confidentiality and privacy Securing cryptographic keys Return of organization IS property

33 7-33 Unfriendly Termination Greater potential for mischief Organization should consider the following steps: Resignation on unfriendly terms – terminate system access immediately Termination decision – remove system access immediately after that decision is made Do not allow access after notifying the decision If the employee continues to work for a period after they have been notified – assign duties that do not require system access Extremely unfriendly terminations – expedite their physical removal from the area

34 7-34 Contractor Considerations Objective: establish sufficient control over all of the personnel in the organization who are involved in performing work or delivering specific work products Some of the steps include: Establish an understanding of the work Perform a thorough job-task analysis of the outsourced work Accountability includes: Monitoring and supervision steps conducted through audits Reviews of the work Implementation of rigorous control functions within automated processes Governed by measurable performance criteria Establish an incident reporting function Computer emergency response team (CERT)

Download ppt "McGraw-Hill/Irwin Copyright © 2007 by The McGraw-Hill Companies, Inc. All rights reserved. Information Assurance for the Enterprise: A Roadmap to Information."

Similar presentations

1 Introduction to Safety Management April 2006. 2 Objective The objective of this presentation is to highlight some of the basic elements of Safety Management.

1 Introduction to Safety Management April Objective The objective of this presentation is to highlight some of the basic elements of Safety Management.
Conservation District Supervisor Accreditation Module 6: Responsibilities and Duties of A Supervisor.

Conservation District Supervisor Accreditation Module 6: Responsibilities and Duties of A Supervisor.
Control and Accounting Information Systems

Control and Accounting Information Systems
Auditing Concepts.

Auditing Concepts.
ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.

ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.

1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
The Islamic University of Gaza

The Islamic University of Gaza
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Information Systems Security Officer

Information Systems Security Officer
Stephen S. Yau 1CSE465-591 Fall 2006 IA Policies.

Stephen S. Yau 1CSE Fall 2006 IA Policies.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Purpose of the Standards

Purpose of the Standards
This material was developed by Compacion Foundation Inc and The Hispanic Contractors Association de Tejas under Susan Harwood Grant Number SH-20-843-SH0.

This material was developed by Compacion Foundation Inc and The Hispanic Contractors Association de Tejas under Susan Harwood Grant Number SH SH0.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Safety and Health Programs

Safety and Health Programs
Fraud Prevention and Risk Management

Fraud Prevention and Risk Management
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Control environment and control activities. Day II Session III and IV.

Control environment and control activities. Day II Session III and IV.

Similar presentations

Ads by Google