security and personnel
TRANSCRIPT
Transforming Lives. Inventing the Future. www.iit.edu
I ELLINOIS T UINS TI TOF TECHNOLOGY
ITM 578 1
Security and Personnel
Ray TrygstadITM 578 Section 071Summer 2003Master of Information Technology & Management ProgramCenter for Professional Development
Slides based on Whitman, M. and Mattord, H., Principles of Information Security; Thomson Course Technology 2003
ITM 578 2
ILLINOIS INSTITUTE OF TECHNOLOGY
Learning Objectives:Upon completion of this lesson students should be able to:– Describe where and how the information
security function is positioned within organizations
– Discuss issues and concerns about staffing the information security function
– Describe credentials that professionals in the information security field can acquire
ITM 578 3
ILLINOIS INSTITUTE OF TECHNOLOGY
Learning Objectives:Upon completion of this lesson students should be able to:
– Recognize how an organization’s employment policies and practices can support the information security effort
– Explain special security precautions necessary for nonemployees
– Recognize the need for the separation of duties.
– Describe special requirements needed for the privacy of personnel data
ITM 578 4
ILLINOIS INSTITUTE OF TECHNOLOGY
Introduction When implementing information security
many human resource issues must be addressed
1. How to position and name the security function2. Planning of proper staffing for the information
security function. 3. Understand the impact of information security
across every role in the IT function & adjust job descriptions and documented practices accordingly
4. General management must work with IS professionals to integrate solid information security concepts into organizational personnel management practices
ITM 578 5
ILLINOIS INSTITUTE OF TECHNOLOGY
Introduction Understanding impact of change to
personnel management practices of the organization is important in success of implementation
Employees often feel threatened when an organization is creating or enhancing an overall information security program
Quelling doubts and reassuring employees is a fundamental part of implementation
It’s important to supply resources to gather and respond quickly to employee feedback
ITM 578 6
ILLINOIS INSTITUTE OF TECHNOLOGY
Security Function Within an Organization’s Structure
The security function can be placed within the:– IT function– Physical security function– Administrative services function – Insurance and risk management function– Legal department
ITM 578 7
ILLINOIS INSTITUTE OF TECHNOLOGY
Security Function Within an Organization’s Structure
The challenge is to design a structure that balances the competing needs of the communities of interest
Organizations compromise to balance needs of enforcement with needs for education, training, awareness, and customer service
ITM 578 8
ILLINOIS INSTITUTE OF TECHNOLOGY
Audit Function of IT Security
Since Information Security has an important audit function, some feel it should not be in the IT organization
This is based on the principle that audit organizations should be external to the area audited
ITM 578 9
ILLINOIS INSTITUTE OF TECHNOLOGY
Staffing the Security Function
Selecting information security personnel is based on many criteria, including supply and demand
Many professionals enter the security market by gaining skills, experience, and credentials to qualify as new supply
ITM 578 10
ILLINOIS INSTITUTE OF TECHNOLOGY
Staffing The Security Function Until the new supply reaches the demand
level, organizations must pay higher costs associated with the current limited supply
When supply reaches a level at or above demand, organizations hiring these skills can become selective so the cost they are willing to pay drops
Currently the information security industry is in a period of high demand
ITM 578 11
ILLINOIS INSTITUTE OF TECHNOLOGY
Qualifications and RequirementsIssues in information security hiring:
– Management should learn more about position requirements and qualifications
– Upper management should also learn more about the budgetary needs of the information security function
– Management needs to learn more about the level of influence and prestige the information security function should be given in order to be effective
ITM 578 12
ILLINOIS INSTITUTE OF TECHNOLOGY
Qualifications and Requirements
Organizations typically look for a technically-qualified information security generalist
In the information security discipline, over-specialization is often a risk and it is important to balance technical skills with general information security knowledge
ITM 578 13
ILLINOIS INSTITUTE OF TECHNOLOGY
Hiring CriteriaWhen hiring infosec professionals,
organizations frequently look for individuals who understand:– How an organization operates at all levels– Information security is usually a management
problem and is seldom an exclusively technical problem
– People, and have strong communications and writing skills
– The roles of policy and education and training
ITM 578 14
ILLINOIS INSTITUTE OF TECHNOLOGY
More Hiring CriteriaWhen hiring infosec professionals,
organizations frequently look for individuals who understand:– The threats and attacks facing an organization – How to protect the organization from attacks– How business solutions can be applied to solve
specific information security problems– Many of the most common mainstream IT
technologies as generalists – The terminology of IT and information security
ITM 578 15
ILLINOIS INSTITUTE OF TECHNOLOGY
Entry into the Security ProfessionMany information security
professionals enter the field through one of two career paths: – ex-law enforcement and military
personnel – technical professionals working on
security applications and processes Today, students are selecting and
tailoring degree programs to prepare for work in security
ITM 578 16
ILLINOIS INSTITUTE OF TECHNOLOGY
Military and law enforcement
Security
Security education
Technology
Career Paths to InfoSec Positions
FIGURE 11-1 Career Paths to Information Security Positions
ITM 578 17
ILLINOIS INSTITUTE OF TECHNOLOGY
Entry into the Security Profession
Current perception is that a security professional must first be a proven professional in another field of IT
IT professionals moving into information security often focus on the technology to the exclusion of general information security issues
Organizations can foster greater professionalism in the field through clearly defined expectations and position descriptions
ITM 578 18
ILLINOIS INSTITUTE OF TECHNOLOGY
Information Security Positions The use of standard job descriptions
can increase the degree of professionalism in the information security field as well as improve the consistency of roles and responsibilities between organizations
Organizations that are revising the roles and responsibilities of InfoSec staff can consult references
ITM 578 19
ILLINOIS INSTITUTE OF TECHNOLOGY
Positions in Information Security
FIGURE 11-2 Positions in Information Security
Chief InformationChief InformationSecurity Officer CISOSecurity Officer CISO
SecuritySecurityConsultantConsultant
SecuritySecurityAdministratorAdministrator
SecuritySecurityManagerManager
SecuritySecurityOfficerOfficer
SecuritySecurityTechnicianTechnician
ITM 578 20
ILLINOIS INSTITUTE OF TECHNOLOGY
InfoSec Staffing Help Wanted
Definers provide the policies, guidelines, and standards
Builders are the real techies, who create and install security solutions
Operators run and administer the security tools, perform security monitoring, and continuously improve processes
ITM 578 21
ILLINOIS INSTITUTE OF TECHNOLOGY
Chief Information Security Officer Top information security position in the
organization– Not usually an executive – Frequently reports to the CIO/CTO
Qualifications & position requirements – Often a CISSP– Graduate degree – Experience as a security manager
Business managers first—technologists second; must also be conversant in all areas of security, including technical, planning, and policy
ITM 578 22
ILLINOIS INSTITUTE OF TECHNOLOGY
CISO Functions Manage the overall InfoSec program Draft or approves information security policies Work with the CIO on strategic plans, develops
tactical plans, and work with security managers on operational plans
Develop InfoSec budgets based on funding Set priorities for InfoSec projects & technology Make decisions in recruiting, hiring, and firing
of security staff Act as spokesperson for the security team
ITM 578 23
ILLINOIS INSTITUTE OF TECHNOLOGY
Security Manager Accountable for the day-to-day operation of the
information security program Accomplishes objectives as identified by the CISO Qualifications and position requirements:
– Not uncommon to have a CISSP– Traditionally, managers have earned the CISSP while
technical professionals earned the Global Information Assurance Certification
– Must have the ability to draft middle- and lower-level policies as well as standards and guidelines
– They must have experience in budgeting, project management, and hiring and firing
– They must also be able to manage technicians, both in the assignment of tasks and the monitoring of activities
ITM 578 24
ILLINOIS INSTITUTE OF TECHNOLOGY
Security Technician Technically qualified individuals tasked to
configure security hardware and software Tend to be specialized, focusing on one major
security technology and further specializing in one software or hardware solution
Qualifications and position requirements:– Organizations prefer expert, certified, proficient
technicians– Job descriptions cover some level of experience
with a particular hardware and software package– Sometimes familiarity with a technology secures
an applicant an interview; however, experience in using the technology is usually required
ITM 578 25
ILLINOIS INSTITUTE OF TECHNOLOGY
Internal Security Consultant Typically an expert in some aspect of
information security Usually preferable to involve a formal
security services company, it is not unusual to find a qualified individual consultant
Must be highly proficient in the managerial aspects of security
Information security consultants usually enter the field after working as experts in the discipline and often have experience as a security manager or CISO
ITM 578 26
ILLINOIS INSTITUTE OF TECHNOLOGY
Credentials of Infosec Professionals
Many organizations seek recognizable certifications to indicate proficiency level associated with various security positions
Most certifications are relatively new and not fully understood by hiring organizations
ITM 578 27
ILLINOIS INSTITUTE OF TECHNOLOGY
Credentials of Infosec Professionals
Certifying bodies work hard to educate the general public on value and qualifications of their certificate recipients
Employers trying to understand the match between certifications and the position requirements & candidates trying to gain meaningful employment based on newly received certifications
ITM 578 28
ILLINOIS INSTITUTE OF TECHNOLOGY
Credentials of Infosec ProfessionalsCertifications:
– Certified Information Systems Security Professional (CISSP) & Systems Security Certified Practitioner (SSCP) [(ISC)2]
– Global Information Assurance Certification (GIAC) [SANS Institute]
– Security Certified Professional (SCP) [SCP]– TruSecure ICSA Certified Security Associate
(TICSA) & TruSecure ICSE Certified Security Expert (TICSE) [TruSecure]
ITM 578 29
ILLINOIS INSTITUTE OF TECHNOLOGY
Credentials of Infosec ProfessionalsCertifications:
– Security+ [CompTIA]– Certified Information Systems Auditor
(CISA) & Certified Information Security Manager (CISM) [ISACA]
– Certified Information Forensics Investigator (CIFI) [ISFA]
– Computer and Network Security Technologies Graduate Certificate [IIT]
ITM 578 30
ILLINOIS INSTITUTE OF TECHNOLOGY
Cost of Being CertifiedCertifications cost money, and the
better certifications can be quite expensive - cost for training can also be significant
Even an experienced professional finds it difficult to sit for one of these exams without some preparation
ITM 578 31
ILLINOIS INSTITUTE OF TECHNOLOGY
Cost of Being CertifiedMany candidates teach themselves
through trade press books others prefer the structure of formal training
Before attempting a certification exam, do your homework and review the exam criteria, its purpose and requirements in order to ensure that the time and energy spent pursuing the certification are well spent
ITM 578 32
ILLINOIS INSTITUTE OF TECHNOLOGY
Preparing for Security Certification
FIGURE 11-3 Preparing for Security Certification
Self-Study Guides CertificationMentors & Study Partners
Work Experience Training Media Formal Training Programs
ITM 578 33
ILLINOIS INSTITUTE OF TECHNOLOGY
Advice for Information Security Professionals If you are a future information security
professional, you can benefit from these suggestions on entering the information security job market:– Always remember: business first, technology last– It’s all about the information– Be heard and not seen– Know more than you say, be more skillful than
you let on– Speak to users, not at them– Your education is never complete
ITM 578 34
ILLINOIS INSTITUTE OF TECHNOLOGY
Employment Policies and PracticesGeneral management should integrate
solid information security concepts into the organization’s employment policies and practices
If the organization can include security as a documented part of every employee’s job description, perhaps information security will be taken more seriously
ITM 578 35
ILLINOIS INSTITUTE OF TECHNOLOGY
Hiring and Termination IssuesFrom an information security
perspective, the hiring of employees is a responsibility laden with potential security pitfalls
The CISO and information security manager should establish a dialogue with the Human Resources department to provide an information security viewpoint for hiring personnel
ITM 578 36
ILLINOIS INSTITUTE OF TECHNOLOGY
Hiring Issues
FIGURE 11-4 Hiring Issues
Certifications
Background Checks
Covenants &Agreements
Policies
Contracts
ITM 578 37
ILLINOIS INSTITUTE OF TECHNOLOGY
Job DescriptionsInserting information security
perspectives into the hiring process begins with reviewing and updating all job descriptions
To prevent people from applying for positions based solely on access to sensitive information, the organization should avoid revealing access privileges to prospective employees when advertising positions
ITM 578 38
ILLINOIS INSTITUTE OF TECHNOLOGY
Interviews An opening within Information Security
opens up a unique opportunity for the security manager to educate HR on the certifications, experience, and qualifications of a good candidate
Information security should advise HR to limit information provided to the candidate on the responsibilities and access rights the new hire would have
For those organizations that include on-site visits as part of interviews, it is important to use caution when showing a candidate around the facility
ITM 578 39
ILLINOIS INSTITUTE OF TECHNOLOGY
Background Checks A background check is an investigation into a
candidate’s past There are regulations that govern such investigations Background checks differ in the level of detail and
depth with which the candidate is examined:– Identity checks– Education and credential checks– Previous employment verification– References checks– Worker’s Compensation history– Motor vehicle records– Drug history– Credit history– Civil court history– Criminal court history
ITM 578 40
ILLINOIS INSTITUTE OF TECHNOLOGY
Fair Credit Reporting Act Federal regulations exist in the use of
personal information in employment practices, including the Fair Credit Reporting Act (FCRA)
Background reports contain information on a job candidate’s credit history, employment history, and other personal data
FCRA prohibits employers from obtaining these reports unless the candidate is informed
ITM 578 41
ILLINOIS INSTITUTE OF TECHNOLOGY
Employment Contracts
Once a candidate has accepted the job offer, the employment contract becomes an important security instrument
Many security policies require an employee to agree in writing– If an existing employee refuses to sign
these contracts, the security personnel are placed in a difficult situation
ITM 578 42
ILLINOIS INSTITUTE OF TECHNOLOGY
Employment Contracts
New employees, however may find policies classified as “employment contingent upon agreement,” whereby the employee is not offered the position unless he/she agrees to the binding organizational policies
ITM 578 43
ILLINOIS INSTITUTE OF TECHNOLOGY
New Hire Orientation As new employees are introduced into the
organization’s culture and workflow, they should receive an extensive information security briefing on all major policies, procedures, and requirements for information security
The levels of authorized access are outlined, and training provided on the secure use of information systems
By the time employees are ready to report to their positions, they should be thoroughly briefed, and ready to perform their duties securely
ITM 578 44
ILLINOIS INSTITUTE OF TECHNOLOGY
On-the-Job Security Training As part of the new hire’s ongoing job
orientation, and as part of every employee’s security responsibilities, the organization should conduct periodic security awareness training
Keeping security at the forefront of employees’ minds and minimizing employee mistakes is an important part of the information security awareness mission
Formal external and informal internal seminars also increase the level of security awareness for all employees, especially security employees
ITM 578 45
ILLINOIS INSTITUTE OF TECHNOLOGY
Performance Evaluation To heighten information security awareness
and change workplace behavior, organizations should incorporate information security components into employee performance evaluations
Employees pay close attention to job performance evaluations, and if the evaluations include information security tasks, employees are more motivated to perform these tasks at a satisfactory level
ITM 578 46
ILLINOIS INSTITUTE OF TECHNOLOGY
Termination
When an employee leaves an organization, there are a number of security-related issues
Key is protection of all information to which employee had access
ITM 578 47
ILLINOIS INSTITUTE OF TECHNOLOGY
Termination Tasks When an employee leaves, several tasks must
be performed:– Revoke access to the organization’s systems – Return removable media– Secure hard drives– Change file cabinet locks– Change office door lock– Revoke keycard access– Remove all personal effects from the organization’s
premises Once cleared—if circumstances dictate—
former employees should be escorted from the premises
ITM 578 48
ILLINOIS INSTITUTE OF TECHNOLOGY
Exit Interview In addition, many organizations use an exit
interview Obtain feedback on the employee’s tenure in
the organization Remind the departing employee of
contractual obligations, such as nondisclosure agreements
Also remind departing employee that if they fail to comply with contractual obligations, civil or criminal action may result
ITM 578 49
ILLINOIS INSTITUTE OF TECHNOLOGY
Exit Scenarios From a security standpoint, security cannot
risk the exposure of organizational information
Simplest and best method to handle the outprocessing of an employee is to select one of the scenarios that follows, based on the employee’s reasons for leaving– Hostile departure (nonvoluntary) procedure:
termination, downsizing, lay off, or quitting– Friendly departure (voluntary):
retirement, promotion, or relocation
ITM 578 50
ILLINOIS INSTITUTE OF TECHNOLOGY
Hostile Departure Procedure Termination, downsizing, lay off, or quitting
– Terminate all logical and keycard access before employee is aware
– As soon as employee reports for work, employee is escorted into supervisor’s office
– Upon receiving notice, employee is politely escorted to working space and allowed to collect personal belongings
– Employee asked to surrender all keys, keycards, and other company property
– Former employee then politely escorted out of the building
ITM 578 51
ILLINOIS INSTITUTE OF TECHNOLOGY
Friendly Departure Procedure Retirement, promotion, or relocation
– Employee may have tendered notice well in advance of the actual departure date
– Actually makes it harder for security to maintain positive control over the employee’s access and information usage
– Employee access is usually allowed to continue with a new expiration date
– Employees come and go at will and collect their own belongings, and leave on their own
– Asked to drop off all organizational property“on their way out the door”
ITM 578 52
ILLINOIS INSTITUTE OF TECHNOLOGY
Termination
In all circumstances, offices and information used by the employee must be inventoried, their files stored or destroyed, and all property returned to organizational stores
It is possible that the employees foresee departure well in advance, and begin collecting organizational information or anything that could be valuable in their future employment
ITM 578 53
ILLINOIS INSTITUTE OF TECHNOLOGY
Termination (continued)
Only by scrutinizing systems logs after the employee has departed, and sorting out authorized actions from systems misuse or information theft can the organization determine if there has been a breach of policy or a loss of information
In the event that information is illegally copied or stolen, the action should be declared an incident and the appropriate policy followed
ITM 578 54
ILLINOIS INSTITUTE OF TECHNOLOGY
Security Considerations For Nonemployees
A number of individuals who are not subject to rigorous screening, contractual obligations, and eventual secured termination often have access to sensitive organizational information
Relationships with individuals in this category should be carefully managed to prevent a possible information leak or theft
ITM 578 55
ILLINOIS INSTITUTE OF TECHNOLOGY
Temporary Employees Temporary employees: hired by the organization to
serve in a temporary position or to supplement existing workforce
As they are not employed by the host organization, they are often not subject to the contractual obligations or general policies; if these individuals breach a policy or cause a problem actions are limited
From a security standpoint, access to information for these individuals should be limited to that necessary to perform their duties
Ensure that the temp’s supervisor restricts the information to which they have access
ITM 578 56
ILLINOIS INSTITUTE OF TECHNOLOGY
Maintenance Personnel Internal maintenance and custodial
personnel who may have access to IT assets need to have necessary clearances even if handling these assets is not part of their regular job
Contract and warranty service personnel need to be supervised when working on any equipment with access to sensitive or classified data
Contract custodial personnel must be bonded
ITM 578 57
ILLINOIS INSTITUTE OF TECHNOLOGY
Contract Employees Contract employees are typically hired to
perform specific services for the organization The host company often makes a contract
with a parent organization rather than with an individual for a particular task
In a secure facility, all contract employees are escorted from room to room, as well as into and out of the facility
There is also the need for certain restrictions or requirements to be negotiated into the contract agreements when they are activated
ITM 578 58
ILLINOIS INSTITUTE OF TECHNOLOGY
Consultants Consultants should be handled like contract
employees, with special requirements for information or facility access requirements integrated into the contract before these individual are allowed outside the conference room
Security and technology consultants especially must be prescreened, escorted, and subjected to nondisclosure agreements to protect the organization
Just because you pay a security consultant, doesn’t make the protection of your information his or her number one priority
ITM 578 59
ILLINOIS INSTITUTE OF TECHNOLOGY
Business Partners Businesses find themselves in strategic alliances
with other organizations, desiring to exchange information, integrate systems, or simply to discuss operations for mutual advantage
There must be a meticulous, deliberate process of determining what information is to be exchanged, in what format, and to whom
Nondisclosure agreements and the level of security of both systems must be examined before any physical integration takes place, as system connection means that the vulnerability of one system is the vulnerability of all
ITM 578 60
ILLINOIS INSTITUTE OF TECHNOLOGY
Separation of Duties & Collusion The completion of a significant task that
involves sensitive information should require two people using the check and balance method to avoid collusion – If one person has the authorization to access a
particular set of information, there may be nothing to prevent this individual from copying it and removing it from the premises
Check and balance method requires two or more people to conspire to commit an incident, known as collusion.
ITM 578 61
ILLINOIS INSTITUTE OF TECHNOLOGY
Separation of Duties & Collusion A similar concept is that of two-man control,
when two individuals review and approve each other’s work before the task is categorized as finished
In two-man control, each person completely finishes necessary work, and then submits it to the co-worker.
Each co-worker examines the work performed, double checking the actions performed, ensuring no errors or inconsistencies exist
ITM 578 62
ILLINOIS INSTITUTE OF TECHNOLOGY
Separation of Duties & Collusion
Another control used is job rotation where employees know each others job skills
A mandatory vacation, of at least one week, provides the ability to audit the work
Need-to-know and least privilege ensures that no unnecessary access to data occurs, and that only those individuals who must access the data do so
ITM 578 63
ILLINOIS INSTITUTE OF TECHNOLOGY
Preventing Collusion
FIGURE 11-6 Preventing Collusion
Separation of Duties
Work is divided up.Each team member
performs only his or herportion of the task sequence.
Two-man control
Team members revieweach other’s work
ITM 578 64
ILLINOIS INSTITUTE OF TECHNOLOGY
Privacy and the Security of Personnel Data
Organizations are required by law to protect employee information that is sensitive or personal
This includes employee addresses, phone numbers, social security numbers, medical conditions, and even names and addresses of family and relatives
This responsibility also extends to customers, patients, and business relationships
ITM 578 65
ILLINOIS INSTITUTE OF TECHNOLOGY
The End…
Discussion!