Principles of information security 4th edition Chapter 11
Contract Employees
Contract employees are typically hired to perform specific services for the organization. In such cases, the host company often makes a contract with a parent organization rather than with an individual for a particular task. -Usually have an agreement in place to provide access to data.
SSCP
Systems Security Certified Practitioner (SSCP) SSCP focuses "on practices, roles, and responsibilities as defined by experts from major IS industries." SSCP covers seven domains: Access Controls Cryptography Malicious Code and Activity Monitoring and Analysis Networks and Communications Risk, Response, and Recovery Security Operations and Administration
Many information security professionals enter the field through one of two career paths: via law enforcement or military personnel, or from other technical information systems professions. In recent years, college students have been able to take courses that prepare them to enter the information security workforce directly.
True
Friendly departures
include resignation, retirement, promotion, or relocation. In this case, the employee may have tendered notice well in advance of the actual departure date. This scenario actually makes it much more difficult for the security team to maintain positive control over the employee's access and information usage.
Hostile departures
include termination for cause, permanent downsizing, temporary lay-off, or some instances of quitting. Before the employee knows that he or she is leaving, or as soon as the hostile resignation is tendered, the security staff should terminate all logical and keycard access.
Job rotation or task rotation
Another control used to prevent personnel from misusing information assets is job rotation
Security Manager
Security managers are accountable for the day-to-day operation of the information security program. -Executes the budget
Certified Information Security Manager (CISM)
The second ISACA certificate program is the CISM. This certificate is open to those who have passed the CISM requirements, which are similar to the CISA. Information security governance (23 percent) Information risk management (22 percent) Information security program development (17 percent) Information security program management (24 percent) Incident management and response (14 percent)
An understanding of the role of education and training in making the users part of the solution is not an is not an attribute to look for a technically qualified information security.
False
An understanding of the threats facing an organization and how these threats can become attacks, as well as an understanding of how to protect the organization from information security attacks is not an attribute to look for a technically qualified information security.
False
The selection of information security personnel is based on one criteria.
False
Security Considerations for Nonemployees
From a security standpoint, temporary employees' access to information should be limited to that which is necessary for them to perform their duties. -TEMP should only have access to information they need to perform the job.
ISSAP
Information Systems Security Architecture Professional The major domains for this examination are: Access Control, Systems and Methodologies, Telecommunications and Network Security, Cryptography, Requirements Analysis & Security Standards, Guidelines, Criteria, and Technology Related BCP and DRP
ISSEP
Information Systems Security Engineering Professional Develop in conjuction with NSA The major domains of the ISSEP examination are: Systems Security Engineering, Certification and Accreditation, Technical Management, and U.S. Government Information Assurance Regulations
Evaluating Performance
To heighten information security awareness and minimize workplace behavior that poses risks to information security, organizations should incorporate information security components into employee performance evaluations.
An attitude that information security is usually a management problem, not an exclusively technical problem is an attribute to look for a technically qualified information security.
True
An understanding of the role of policy in guiding security efforts is an attribute to look for a technically qualified information security.
True
During the hiring process for an information security position, an organization should use standard job descriptions to increase the degree of professionalism among applicants and also to make sure the position's roles and responsibilities are consistent with those of similar information security positions in other organizations. Studies of information security positions have found that they can be classified into one of three areas: those that define, those that build, and those that administer
True
Good people skills, communications skills, and writing skills and a tolerance for users is an attribute to look for a technically qualified information security.
True
T/F The selection of information security personnel is based on a number of criteria. Some of these factors are within the control of the organization and others are not.
True
Certified Information Systems Auditor (CISA)
Certified Information Systems Auditor or CISA certification covers many information security components. The CISA certification is open to those who have passed the CISA exam.
This is typically the top information security officer in the organization.
Chief Information Security Officer (CISO or CSO)
What are the two career path that information security professionals normally enter the field through:
ex-law enforcement and military
Internal Control Strategies
separation of duties is a cornerstone in the protection of information assets and in the prevention of financial loss.Separation of duties is used to reduce the chance of an individual violating information security and breaching the confidentiality, integrity, or availability of information.
two-person control
the requirement that two individuals review and approve each other's work before the task is categorized as finished
Business Partners
there must be a prior business agreement that specifies the level of exposure both organizations are willing to endure
T/F: The placement of the information security function within the organization is a key decision facing the organization. The most popular options involve placing the information security function within the IT function or within the physical security function. Organizations searching for a rational compromise should place the information security function where it can balance its need to enforce organizational policy with its need to deliver service to the entire organization.
true
Separation of duties
used to reduce the chance of an individual violating information security and breaching the confidentiality, integrity, or availability of information.
Termination
when an employee prepares to leave an organization, the following tasks must be performed: -Access to the organization's systems must be disabled. -Removable media must be returned. -Hard drives must be secured. -File cabinet locks must be changed. -Office door locks must be changed. -Keycard access must be revoked. -Personal effects must be removed from the organization's premises. -After the employee has delivered keys, keycards, and other business property, he or she should be escorted from the premises.
Background Checks
-A background check is an investigation into the candidate's past that specifically looks for criminal or other types of behavior that could indicate potential for future misconduct. -Identity checks: Validation of identity and Social Security number -Education and credential checks: Validation of institutions attended, degrees and certifications earned, and certification status -Previous employment verification: Validation of where candidates worked, why they left, what they did, and for how long -Reference checks: Validation of references and integrity of reference sources -Worker's compensation history: Investigation of claims from worker's compensation -Motor vehicle records: Investigation of driving records, suspensions, and DUIs -Drug history: Screening for drugs and drug usage, past and present -Credit history: Investigation of credit problems, financial problems, and bankruptcy -Civil court history: Investigation of involvement as the plaintiff or defendant in civil suits -Criminal court history: Investigation of criminal background, arrests, convictions, and time served
When hiring information security professionals, organizations frequently look for individuals who understand the following:
1.How an organization operates at all levels 2. That information security is usually a management problem and is seldom an exclusively technical problem 3. How to work with people and collaborate with end users, and the importance of strong communications and writing skills The role of policy in guiding security efforts, and the role of education and training in making employees and other authorized users part of the solution, rather than part of the problem 4. Most mainstream IT technologies (not necessarily as experts, but as generalists) 5. The terminology of IT and information security 6. The threats facing an organization and how these threats can become attacks 7. How to protect an organization's assets from information security attacks 8. How business solutions (including technology-based solutions) can be applied to solve specific information security problems
Privacy and the Security of Personnel Data
Organizations are required by law to protect employee information that is sensitive or personal This includes employee addresses, phone numbers, Social Security numbers, medical conditions, and even names and addresses of family members.
Certification and Accreditation Professional (CAP)
The newest certification In order to qualify for the CAP certification, applicants must have a minimum of two years experience in one or more of the CAP common body of knowledge domains and thus be prepared to: Initiate the preparation phase (formerly known as the certification and accreditation process and certification phase) Perform the execution phase (formerly known as the accreditation process) Perform the maintenance phase (formerly known as continuous monitoring) Understand the purpose of security authorization (formerly known as certification and accreditation, or C&A)
New Hire Orientation
When new employees are introduced into the organization's culture and workflow, they should receive as part of their employee orientation an extensive information security briefing.
Certified Information Systems Security Professional (CISSP)
CISSP covers all ten domains, requires 3 years experience and endorsement: Access Control Application Security Business Continuity and Disaster Recovery Planning Cryptography Information Security and Risk Management Legal, Regulations, Compliance, and Investigations Operations Security Physical (Environmental) Security Security Architecture and Design Telecommunications and Network Security
ISSMP
Information Systems Security Management Professional The major domains for this examination are: Enterprise Security Management Practices, Enterprise-Wide System Development Security, Overseeing Compliance of Operations Security, Understanding BCP, DRP, and COOP, and Law, Investigations, Forensics, and Ethics.
Security Technician
Security technicians are the technically qualified individuals tasked to configure firewalls, deploy IDPSs, implement security software, diagnose and troubleshoot problems, and coordinate with systems and network administrators to ensure that an organization's security technology is properly implemented. The position of security technician is often entry level, but to be hired in this role, candidates must possess some technical skills.
Associate of (ISC)2
The Associate of (ISC)2 program is geared toward those who want to take the CISSP or SSCP exams before obtaining the requisite experience for certification.
Certified Computer Examiner (CCE)®
The Certified Computer Examiner (CCE)® certification is a computer forensics certification provided by the International Society of Forensic Computer Examiners
CompTIA's Security+
The CompTIA Security certification tests for security knowledge mastery of an individual with two years on-the-job networking experience, with emphasis on security. Systems security (21 percent) Network infrastructure (20 percent) Access control (17 percent) Assessments and audits (15 percent) Cryptography (15 percent) Organizational security (12 percent)22
SANS Global Information Assurance Certification (GIAC)
The System Administration, Networking, and Security Organization, better known as SANS the GIAC certifications require the applicant to complete a written practical assignment that tests the applicant's ability to apply skills and knowledge. GIAC certifications are organized into five areas: audit, legal, management, security administration, and software security. Additional concentrations in malware and compliance can be pursued once the GSE certification has been earned.
ISACA Certifications
The Information Systems Audit and Control Association (ISACA) was founded by a group of individuals with similar jobs in computer auditing who sought to provide a centralized source of information and guidance.
(ISC)2 Certifications
The International Information Systems Security Certification Consortium (ISC)2. is considered one the foremost organizations offering information security certifications today. Currently (ISC)2 offers three primary certifications and three specializations for its flagship certification.
Security Certified Program (SCP)
The SCP certifications provide three tracks: the SCNS (Security Certified Network Specialist), the SCNP (Security Certified Network Professional), and the SCNA (Security Certified Network Architect). All three tracks are designed for the security technician and have dominant technical components, although the SCNA also emphasizes authentication principles. Also, even though the SCNS, SCNP, and SCNA each have a networking focus, they concentrate on network security rather than on true networking (which, for example, is covered by MSCE and CNE).
On-the-Job Security Training
The organization should integrate the security awareness education
Consultants
These people are typically referred to as consultants, and they have their own security requirements and contractual obligations. Consultants should have all specific requirements for information or facility access integrated into their contracts before these individuals are allowed into the workplace. Security and technology consultants especially must be prescreened, escorted, and subjected to nondisclosure agreements to protect the organization from possible intentional or accidental breaches of confidentiality.
When filling various information security positions, many organizations indicate the level of proficiency required for the job by specifying that the candidate have recognizable certifications. Some of the more popular certifications are: (ISC)2 family of certifications: Certified Information Systems Security Professional (CISSP), Systems Security Certified Practitioner (SSCP), Associate of (ISC)2, and Certification and Accreditation Professional (CAP) ISACA family of certifications: Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM) Global Information Assurance Certification (GIAC) family of certifications Security Certified Professional (SCP) Security Certified Computer Examiner
True