security and personnel

Transforming Lives. Inventing the Future. www.iit.edu

I ELLINOIS T UINS TI TOF TECHNOLOGY

ITM 578 1

Security and Personnel

Ray TrygstadITM 578 Section 071Summer 2003Master of Information Technology & Management ProgramCenter for Professional Development

Slides based on Whitman, M. and Mattord, H., Principles of Information Security; Thomson Course Technology 2003

ITM 578 2

ILLINOIS INSTITUTE OF TECHNOLOGY

Learning Objectives:Upon completion of this lesson students should be able to:– Describe where and how the information

security function is positioned within organizations

– Discuss issues and concerns about staffing the information security function

– Describe credentials that professionals in the information security field can acquire

ITM 578 3


Learning Objectives:Upon completion of this lesson students should be able to:

– Recognize how an organization’s employment policies and practices can support the information security effort

– Explain special security precautions necessary for nonemployees

– Recognize the need for the separation of duties.

– Describe special requirements needed for the privacy of personnel data

ITM 578 4


Introduction When implementing information security

many human resource issues must be addressed

1. How to position and name the security function2. Planning of proper staffing for the information

security function. 3. Understand the impact of information security

across every role in the IT function & adjust job descriptions and documented practices accordingly

4. General management must work with IS professionals to integrate solid information security concepts into organizational personnel management practices

ITM 578 5


Introduction Understanding impact of change to

personnel management practices of the organization is important in success of implementation

Employees often feel threatened when an organization is creating or enhancing an overall information security program

Quelling doubts and reassuring employees is a fundamental part of implementation

It’s important to supply resources to gather and respond quickly to employee feedback

ITM 578 6


Security Function Within an Organization’s Structure

The security function can be placed within the:– IT function– Physical security function– Administrative services function – Insurance and risk management function– Legal department

ITM 578 7


Security Function Within an Organization’s Structure

The challenge is to design a structure that balances the competing needs of the communities of interest

Organizations compromise to balance needs of enforcement with needs for education, training, awareness, and customer service

ITM 578 8


Audit Function of IT Security

Since Information Security has an important audit function, some feel it should not be in the IT organization

This is based on the principle that audit organizations should be external to the area audited

ITM 578 9


Staffing the Security Function

Selecting information security personnel is based on many criteria, including supply and demand

Many professionals enter the security market by gaining skills, experience, and credentials to qualify as new supply

ITM 578 10


Staffing The Security Function Until the new supply reaches the demand

level, organizations must pay higher costs associated with the current limited supply

When supply reaches a level at or above demand, organizations hiring these skills can become selective so the cost they are willing to pay drops

Currently the information security industry is in a period of high demand

ITM 578 11


Qualifications and RequirementsIssues in information security hiring:

– Management should learn more about position requirements and qualifications

– Upper management should also learn more about the budgetary needs of the information security function

– Management needs to learn more about the level of influence and prestige the information security function should be given in order to be effective

ITM 578 12


Qualifications and Requirements

Organizations typically look for a technically-qualified information security generalist

In the information security discipline, over-specialization is often a risk and it is important to balance technical skills with general information security knowledge

ITM 578 13


Hiring CriteriaWhen hiring infosec professionals,

organizations frequently look for individuals who understand:– How an organization operates at all levels– Information security is usually a management

problem and is seldom an exclusively technical problem

– People, and have strong communications and writing skills

– The roles of policy and education and training

ITM 578 14


More Hiring CriteriaWhen hiring infosec professionals,

organizations frequently look for individuals who understand:– The threats and attacks facing an organization – How to protect the organization from attacks– How business solutions can be applied to solve

specific information security problems– Many of the most common mainstream IT

technologies as generalists – The terminology of IT and information security

ITM 578 15


Entry into the Security ProfessionMany information security

professionals enter the field through one of two career paths: – ex-law enforcement and military

personnel – technical professionals working on

security applications and processes Today, students are selecting and

tailoring degree programs to prepare for work in security

ITM 578 16


Military and law enforcement

Security

Security education

Technology

Career Paths to InfoSec Positions

FIGURE 11-1 Career Paths to Information Security Positions

ITM 578 17


Entry into the Security Profession

Current perception is that a security professional must first be a proven professional in another field of IT

IT professionals moving into information security often focus on the technology to the exclusion of general information security issues

Organizations can foster greater professionalism in the field through clearly defined expectations and position descriptions

ITM 578 18


Information Security Positions The use of standard job descriptions

can increase the degree of professionalism in the information security field as well as improve the consistency of roles and responsibilities between organizations

Organizations that are revising the roles and responsibilities of InfoSec staff can consult references

ITM 578 19


Positions in Information Security

FIGURE 11-2 Positions in Information Security

Chief InformationChief InformationSecurity Officer CISOSecurity Officer CISO

SecuritySecurityConsultantConsultant

SecuritySecurityAdministratorAdministrator

SecuritySecurityManagerManager

SecuritySecurityOfficerOfficer

SecuritySecurityTechnicianTechnician

ITM 578 20


InfoSec Staffing Help Wanted

Definers provide the policies, guidelines, and standards

Builders are the real techies, who create and install security solutions

Operators run and administer the security tools, perform security monitoring, and continuously improve processes

ITM 578 21


Chief Information Security Officer Top information security position in the

organization– Not usually an executive – Frequently reports to the CIO/CTO

Qualifications & position requirements – Often a CISSP– Graduate degree – Experience as a security manager

Business managers first—technologists second; must also be conversant in all areas of security, including technical, planning, and policy

ITM 578 22


CISO Functions Manage the overall InfoSec program Draft or approves information security policies Work with the CIO on strategic plans, develops

tactical plans, and work with security managers on operational plans

Develop InfoSec budgets based on funding Set priorities for InfoSec projects & technology Make decisions in recruiting, hiring, and firing

of security staff Act as spokesperson for the security team

ITM 578 23


Security Manager Accountable for the day-to-day operation of the

information security program Accomplishes objectives as identified by the CISO Qualifications and position requirements:

– Not uncommon to have a CISSP– Traditionally, managers have earned the CISSP while

technical professionals earned the Global Information Assurance Certification

– Must have the ability to draft middle- and lower-level policies as well as standards and guidelines

– They must have experience in budgeting, project management, and hiring and firing

– They must also be able to manage technicians, both in the assignment of tasks and the monitoring of activities

ITM 578 24


Security Technician Technically qualified individuals tasked to

configure security hardware and software Tend to be specialized, focusing on one major

security technology and further specializing in one software or hardware solution

Qualifications and position requirements:– Organizations prefer expert, certified, proficient

technicians– Job descriptions cover some level of experience

with a particular hardware and software package– Sometimes familiarity with a technology secures

an applicant an interview; however, experience in using the technology is usually required

ITM 578 25


Internal Security Consultant Typically an expert in some aspect of

information security Usually preferable to involve a formal

security services company, it is not unusual to find a qualified individual consultant

Must be highly proficient in the managerial aspects of security

Information security consultants usually enter the field after working as experts in the discipline and often have experience as a security manager or CISO

ITM 578 26


Credentials of Infosec Professionals

Many organizations seek recognizable certifications to indicate proficiency level associated with various security positions

Most certifications are relatively new and not fully understood by hiring organizations

ITM 578 27


Credentials of Infosec Professionals

Certifying bodies work hard to educate the general public on value and qualifications of their certificate recipients

Employers trying to understand the match between certifications and the position requirements & candidates trying to gain meaningful employment based on newly received certifications

ITM 578 28


Credentials of Infosec ProfessionalsCertifications:

– Certified Information Systems Security Professional (CISSP) & Systems Security Certified Practitioner (SSCP) [(ISC)2]

– Global Information Assurance Certification (GIAC) [SANS Institute]

– Security Certified Professional (SCP) [SCP]– TruSecure ICSA Certified Security Associate

(TICSA) & TruSecure ICSE Certified Security Expert (TICSE) [TruSecure]

ITM 578 29


Credentials of Infosec ProfessionalsCertifications:

– Security+ [CompTIA]– Certified Information Systems Auditor

(CISA) & Certified Information Security Manager (CISM) [ISACA]

– Certified Information Forensics Investigator (CIFI) [ISFA]

– Computer and Network Security Technologies Graduate Certificate [IIT]

ITM 578 30


Cost of Being CertifiedCertifications cost money, and the

better certifications can be quite expensive - cost for training can also be significant

Even an experienced professional finds it difficult to sit for one of these exams without some preparation

ITM 578 31


Cost of Being CertifiedMany candidates teach themselves

through trade press books others prefer the structure of formal training

Before attempting a certification exam, do your homework and review the exam criteria, its purpose and requirements in order to ensure that the time and energy spent pursuing the certification are well spent

ITM 578 32


Preparing for Security Certification

FIGURE 11-3 Preparing for Security Certification

Self-Study Guides CertificationMentors & Study Partners

Work Experience Training Media Formal Training Programs

ITM 578 33


Advice for Information Security Professionals If you are a future information security

professional, you can benefit from these suggestions on entering the information security job market:– Always remember: business first, technology last– It’s all about the information– Be heard and not seen– Know more than you say, be more skillful than

you let on– Speak to users, not at them– Your education is never complete

ITM 578 34


Employment Policies and PracticesGeneral management should integrate

solid information security concepts into the organization’s employment policies and practices

If the organization can include security as a documented part of every employee’s job description, perhaps information security will be taken more seriously

ITM 578 35


Hiring and Termination IssuesFrom an information security

perspective, the hiring of employees is a responsibility laden with potential security pitfalls

The CISO and information security manager should establish a dialogue with the Human Resources department to provide an information security viewpoint for hiring personnel

ITM 578 36


Hiring Issues

FIGURE 11-4 Hiring Issues

Certifications

Background Checks

Covenants &Agreements

Policies

Contracts

ITM 578 37


Job DescriptionsInserting information security

perspectives into the hiring process begins with reviewing and updating all job descriptions

To prevent people from applying for positions based solely on access to sensitive information, the organization should avoid revealing access privileges to prospective employees when advertising positions

ITM 578 38


Interviews An opening within Information Security

opens up a unique opportunity for the security manager to educate HR on the certifications, experience, and qualifications of a good candidate

Information security should advise HR to limit information provided to the candidate on the responsibilities and access rights the new hire would have

For those organizations that include on-site visits as part of interviews, it is important to use caution when showing a candidate around the facility

ITM 578 39


Background Checks A background check is an investigation into a

candidate’s past There are regulations that govern such investigations Background checks differ in the level of detail and

depth with which the candidate is examined:– Identity checks– Education and credential checks– Previous employment verification– References checks– Worker’s Compensation history– Motor vehicle records– Drug history– Credit history– Civil court history– Criminal court history

ITM 578 40


Fair Credit Reporting Act Federal regulations exist in the use of

personal information in employment practices, including the Fair Credit Reporting Act (FCRA)

Background reports contain information on a job candidate’s credit history, employment history, and other personal data

FCRA prohibits employers from obtaining these reports unless the candidate is informed

ITM 578 41


Employment Contracts

Once a candidate has accepted the job offer, the employment contract becomes an important security instrument

Many security policies require an employee to agree in writing– If an existing employee refuses to sign

these contracts, the security personnel are placed in a difficult situation

ITM 578 42


Employment Contracts

New employees, however may find policies classified as “employment contingent upon agreement,” whereby the employee is not offered the position unless he/she agrees to the binding organizational policies

ITM 578 43


New Hire Orientation As new employees are introduced into the

organization’s culture and workflow, they should receive an extensive information security briefing on all major policies, procedures, and requirements for information security

The levels of authorized access are outlined, and training provided on the secure use of information systems

By the time employees are ready to report to their positions, they should be thoroughly briefed, and ready to perform their duties securely

ITM 578 44


On-the-Job Security Training As part of the new hire’s ongoing job

orientation, and as part of every employee’s security responsibilities, the organization should conduct periodic security awareness training

Keeping security at the forefront of employees’ minds and minimizing employee mistakes is an important part of the information security awareness mission

Formal external and informal internal seminars also increase the level of security awareness for all employees, especially security employees

ITM 578 45


Performance Evaluation To heighten information security awareness

and change workplace behavior, organizations should incorporate information security components into employee performance evaluations

Employees pay close attention to job performance evaluations, and if the evaluations include information security tasks, employees are more motivated to perform these tasks at a satisfactory level

ITM 578 46


Termination

When an employee leaves an organization, there are a number of security-related issues

Key is protection of all information to which employee had access

ITM 578 47


Termination Tasks When an employee leaves, several tasks must

be performed:– Revoke access to the organization’s systems – Return removable media– Secure hard drives– Change file cabinet locks– Change office door lock– Revoke keycard access– Remove all personal effects from the organization’s

premises Once cleared—if circumstances dictate—

former employees should be escorted from the premises

ITM 578 48


Exit Interview In addition, many organizations use an exit

interview Obtain feedback on the employee’s tenure in

the organization Remind the departing employee of

contractual obligations, such as nondisclosure agreements

Also remind departing employee that if they fail to comply with contractual obligations, civil or criminal action may result

ITM 578 49


Exit Scenarios From a security standpoint, security cannot

risk the exposure of organizational information

Simplest and best method to handle the outprocessing of an employee is to select one of the scenarios that follows, based on the employee’s reasons for leaving– Hostile departure (nonvoluntary) procedure:

termination, downsizing, lay off, or quitting– Friendly departure (voluntary):

retirement, promotion, or relocation

ITM 578 50


Hostile Departure Procedure Termination, downsizing, lay off, or quitting

– Terminate all logical and keycard access before employee is aware

– As soon as employee reports for work, employee is escorted into supervisor’s office

– Upon receiving notice, employee is politely escorted to working space and allowed to collect personal belongings

– Employee asked to surrender all keys, keycards, and other company property

– Former employee then politely escorted out of the building

ITM 578 51


Friendly Departure Procedure Retirement, promotion, or relocation

– Employee may have tendered notice well in advance of the actual departure date

– Actually makes it harder for security to maintain positive control over the employee’s access and information usage

– Employee access is usually allowed to continue with a new expiration date

– Employees come and go at will and collect their own belongings, and leave on their own

– Asked to drop off all organizational property“on their way out the door”

ITM 578 52


Termination

In all circumstances, offices and information used by the employee must be inventoried, their files stored or destroyed, and all property returned to organizational stores

It is possible that the employees foresee departure well in advance, and begin collecting organizational information or anything that could be valuable in their future employment

ITM 578 53


Termination (continued)

Only by scrutinizing systems logs after the employee has departed, and sorting out authorized actions from systems misuse or information theft can the organization determine if there has been a breach of policy or a loss of information

In the event that information is illegally copied or stolen, the action should be declared an incident and the appropriate policy followed

ITM 578 54


Security Considerations For Nonemployees

A number of individuals who are not subject to rigorous screening, contractual obligations, and eventual secured termination often have access to sensitive organizational information

Relationships with individuals in this category should be carefully managed to prevent a possible information leak or theft

ITM 578 55


Temporary Employees Temporary employees: hired by the organization to

serve in a temporary position or to supplement existing workforce

As they are not employed by the host organization, they are often not subject to the contractual obligations or general policies; if these individuals breach a policy or cause a problem actions are limited

From a security standpoint, access to information for these individuals should be limited to that necessary to perform their duties

Ensure that the temp’s supervisor restricts the information to which they have access

ITM 578 56


Maintenance Personnel Internal maintenance and custodial

personnel who may have access to IT assets need to have necessary clearances even if handling these assets is not part of their regular job

Contract and warranty service personnel need to be supervised when working on any equipment with access to sensitive or classified data

Contract custodial personnel must be bonded

ITM 578 57


Contract Employees Contract employees are typically hired to

perform specific services for the organization The host company often makes a contract

with a parent organization rather than with an individual for a particular task

In a secure facility, all contract employees are escorted from room to room, as well as into and out of the facility

There is also the need for certain restrictions or requirements to be negotiated into the contract agreements when they are activated

ITM 578 58


Consultants Consultants should be handled like contract

employees, with special requirements for information or facility access requirements integrated into the contract before these individual are allowed outside the conference room

Security and technology consultants especially must be prescreened, escorted, and subjected to nondisclosure agreements to protect the organization

Just because you pay a security consultant, doesn’t make the protection of your information his or her number one priority

ITM 578 59


Business Partners Businesses find themselves in strategic alliances

with other organizations, desiring to exchange information, integrate systems, or simply to discuss operations for mutual advantage

There must be a meticulous, deliberate process of determining what information is to be exchanged, in what format, and to whom

Nondisclosure agreements and the level of security of both systems must be examined before any physical integration takes place, as system connection means that the vulnerability of one system is the vulnerability of all

ITM 578 60


Separation of Duties & Collusion The completion of a significant task that

involves sensitive information should require two people using the check and balance method to avoid collusion – If one person has the authorization to access a

particular set of information, there may be nothing to prevent this individual from copying it and removing it from the premises

Check and balance method requires two or more people to conspire to commit an incident, known as collusion.

ITM 578 61


Separation of Duties & Collusion A similar concept is that of two-man control,

when two individuals review and approve each other’s work before the task is categorized as finished

In two-man control, each person completely finishes necessary work, and then submits it to the co-worker.

Each co-worker examines the work performed, double checking the actions performed, ensuring no errors or inconsistencies exist

ITM 578 62


Separation of Duties & Collusion

Another control used is job rotation where employees know each others job skills

A mandatory vacation, of at least one week, provides the ability to audit the work

Need-to-know and least privilege ensures that no unnecessary access to data occurs, and that only those individuals who must access the data do so

ITM 578 63


Preventing Collusion

FIGURE 11-6 Preventing Collusion

Separation of Duties

Work is divided up.Each team member

performs only his or herportion of the task sequence.

Two-man control

Team members revieweach other’s work

ITM 578 64


Privacy and the Security of Personnel Data

Organizations are required by law to protect employee information that is sensitive or personal

This includes employee addresses, phone numbers, social security numbers, medical conditions, and even names and addresses of family and relatives

This responsibility also extends to customers, patients, and business relationships

ITM 578 65


The End…

Discussion!