Infosec Chapt. 11

"collusion:

A conspiracy or cooperation between two or more individuals or groups to commitillegal or unethical actions."

"ISSEP®: Information Systems Security Engineering Professional"

"Systems security engineering" "• Certification and accreditation/risk management framework • Technical management • U.S. government information assurance-related policies and issuances"

"This checks-and-balances method requires two or more people to con-spire to commit a theft or other misadventure, which is known as "

"collusion."

"Separation of duties can also be applied to"

"critical information and information systems.For example, one programmer might update the software in the systems, and a supervi-sor or coworker might then apply the tested update to the production system followingthe procedures of the change management process. Alternatively, one employee might beauthorized to initiate backups to the system, while another mounts and dismounts thephysical media."

"Organizations typically prefer "

"expert, certified,proficient technicians. Job requirements usually include some level of experience with a par-ticular hardware and software package. Sometimes, familiarity with a particular technologyis enough to secure an applicant an interview; however, experience using the technology isusually required."

"The certification requires the candidate to have a minimum of "

"three years of experience inrisk management and information systems control across at least three of the stateddomains, although the candidate may elect to take the exam before having the experience.This practice is accepted and encouraged by ISACA, but the candidate will not receive thecertification until the experience requirement is met."

"the chief information security officer (CISO) is often considered the "

"top InfoSecofficer in the organization. He or she frequently reports to the chief information officer(CIO), unless the organization employs a chief security officer (CSO) who oversees both physical and InfoSec areas. "

"The GIAC management certifications include:"

"• GIAC Security Leadership Certification (GSLC) • GIAC Information Security Professional (GISP) • GIAC Certified Project Manager Certification (GCPM)"

"To be certified, the applicant must:"

"• Pass the examination • Adhere to a code of ethics promulgated by ISACA • Pursue continuing education as specified • Document five years of InfoSec work experience with at least three years in InfoSecmanagement in three of the four defined areas of practice"

"The Computing Technology Industry Association (CompTIA)—the organization that offeredthe first vendor-neutral professional IT certifications, the Aþ series—now offers severalsecurity-related certifications:"

"•Security+ • Mobile App Security+ • CompTIA Advanced Security Practitioner (CASP)"

"For the office:"

"•To avoid shoulder surfing, don't type in passwords with someone else there—orif you must, do so quickly. To eliminate individuals wandering through halls, ensure all visitors are accom-panied by an employee at all times. To prevent someone from stealing sensitive documents, ensure all documentsare properly classified and labeled and locked when not actively in use. To prevent someone from stealing mail from the mailroom, ensure the mailroomis locked at all times, preferably with keycard access."

"security technician:

A technically qualified individual who may configure firewalls and IDPSs,implement security software, diagnose and troubleshoot problems, and coordinate with systemsand network administrators to ensure that security technical controls are properly implemented.Also known as a security admin."

"task rotation:

The requirement that all critical tasks can be performed by multiple individuals."

"job rotation:

The requirement that every employee be able to perform the work of at least oneother employee."

"From a security standpoint, temporary workers' access to information should be limited to"

what is necessary to perform their duties. The organization can attempt to have temps signnondisclosure agreements and fair use policies, but the temp agency may refuse to go along,forcing the host organization to either dismiss the temp workers or allow them to work with-out such agreements. This can create an awkward—and potentially dangerous—situation. Itmay be impossible to limit a temp's access to information that is beyond the scope of his orher assigned tasks. The only way to combat this threat is to ensure that employees who aresupervising temporary workers restrict their access to information, and to make sure that allworkers—whether employees or temps—follow good security practices, especially clean deskpolicies and the securing of classified data. Temps can provide great benefits to organizations,but they should not be employed at the cost of sacrificing InfoSec."

"The domains include general security skills, intrusion detection and analysis skills, andincident handling skills. The candidates are required to bring in their own Windows OSlaptop and a VM client, and are issued an external hard drive with various applicationsand images, which they will use to perform the exercises. During the course of the lab,applicants will:"

" Capture, analyze, and interpret network traffic using common open source tools likeWireshark and Snort. • Handle various incidents like computer attacks and malware-infected systems, demon-strating the ability to collect and preserve evidentiary materials. Secure Windows, Linux, and UNIX systems, including using cryptography todemonstrate a thorough understanding of networking protocols and security principles. • Display their ability to use common security tools like port and vulnerability scanners,Personnel and Security•sniffers, and firewall applications. • Demonstrate the ability to write security policies and contingency plans and to analyze493complex security problems."

"These mistakes—and all my others—are precious. Each reminds me to take my jobseriously, because others certainly do! If you can, learn from my errors by doing thefollowing:"

" Understand the Relationships—""Managers invest in their employees, and theyknow more about those personnel than you likely do. " Ask for a Sanity Check—Sometimes we see what we expect. Have a peer inde-pendently review your facts when dealing with a person you dislike." "Brace for Impact—Organizations handle personnel security issues according tounique needs."

"Once the prerequisites are met, the candidate must complete a multiple-choice exam with aminimum passing score of 75%. Upon successful completion of the multiple-choice exam,the candidate must then pass a two-day GSE lab exam:"

""Day 1 of the GSE lab consists of an incident response scenario that requiresthe candidate to analyze data and report their results in a written report. Day2 consists of a rigorous battery of hands-on exercises drawn from all of thedomains listed below.""

"The GIAC family of certifications can be pursued independently or as part of a comprehen-sive certification called GIAC Security Expert (GSE). The GSE is an overview certificationthat combines basic technical knowledge with an understanding of threats, risks, and bestpractices, similar to—but more technical than—the CISSP. In order to sit for the GSE, candi-dates must have met the prerequisite requirements:"

""GSE prerequisite list (including substitution options): A. GSEC, GCIH, GCIA with two gold B. GSEC, GCIH, GCIA with one gold and one substitute C. GSEC, GCIH, GCIA with no gold and two substitutes D. GCWN, GCUX, GCIH, GCIA with one gold E. GCWN, GCUX, GCIH, GCIA with no gold and one substitute"

"Because it is difficult to master all 10 domains and document the experience require-ment of the CISSP certification, many security professionals seek other less rigorous certifica-tions, such as"

"(ISC)2's SSCP certification. Like the CISSP, the SSCP certification is moreapplicable to the security manager than to the technician, as the bulk of its questions focuson the operational nature of InfoSec. The SSCP focuses on practices, roles, and responsibili-ties as defined by experts from major InfoSec industries.10 Nevertheless, the InfoSec techni-cian seeking advancement can benefit from this certification."

"Also available from ISACA is the Certified in the Governance of Enterprise IT(CGEIT) certification. The exam is targeted at upper-level executives (including CISOs andCIOs, directors, and consultants with knowledge and experience in IT governance). TheCGEIT areas of knowledge include risk management components, making it of interest toupper-level InfoSec managers. The exam covers the following areas, as described in the"ISACA Exam Candidate Information Guide 2015" and the ISACA CGEIT Web site:"

"1. Framework for the Governance of Enterprise IT (25 percent)—Ensure the definition,establishment, and management of a framework for the governance of enterprise IT inalignment with the mission, vision, and values of the enterprise." "2. Strategic Management (20 percent)—Ensure that IT enables and supports the achieve-ment of enterprise objectives through the integration and alignment of IT strategicplans with enterprise strategic plans." "3. Benefits Realization (16 percent)—Ensure that IT-enabled investments are managed to—Ensure that IT-enabled investments are managed to—deliver optimized business benefits and that benefit realization outcome and performancemeasures are established, evaluated, and progress is reported to key stakeholders." "4. Risk Optimization (24 percent)—Ensure that an IT risk management framework existsto identify, analyze, mitigate, manage, monitor, and communicate IT-related businessrisk, and that the framework for IT risk management is in alignment with the enterpriserisk management (ERM) framework." "5. Resource Optimization (15 percent)—Ensure the optimization of IT resources includinginformation, services, infrastructure and applications, and people, to support the achieve-ment of enterprise objectives."

"CISSP certification requires both successful completion of the exam and, to ensure that theapplicant meets the experience requirement, attestation to submitted information andresponses to the following questions, which are included in the "CISSP Exam Outline: Can-didate Information Bulletin":"

"1. Have you ever been convicted of a felony; a misdemeanor involving a computer crime,dishonesty, or repeat offenses; or a Court Martial in military service, or is there a felonycharge, indictment, or information now pending against you?" "2. Have you ever had a professionallicense, certification, membership or registrationrevoked, or have you ever been censured or disciplined by any professional organizationor government agency?" "3. Have you ever been involved, or publicly identified, with criminal hackers or hacking?" "4. Have you ever been known by any other name, alias, or pseudonym?"

"The CISM credential is geared toward experienced InfoSec managers and otherswho may have InfoSec management responsibilities. The CISM can assure executive man-agement that a candidate has the required background knowledge needed for effective secu-rity management and consulting. This exam is offered annually. The CISM examinationcovers the following practice domains described in the "ISACA Exam Candidate Informa-tion Guide 2015" and the ISACA CISM Web site:"

"1. Information Security Governance (24 percent)—Establish and maintain an informationsecurity governance framework and supporting processes to ensure that the informationsecurity strategy is aligned with organizational goals and objectives, information risk ismanaged appropriately, and program resources are managed responsibly." "2. Information Risk Management and Compliance (33 percent)—Manage informationrisk to an acceptable level to meet the business and compliance requirements of theorganization." "3. Information Security Program Development and Management (25 percent)—Establishand manage the information security program in alignment with the information secu-rity strategy." "4. Information Security Incident Management (18 percent)—Plan, establish, and managethe capability to detect, investigate, respond to, and recover from information securityincidents to minimize business impact."

"The newest ISACA certification is the CRISC (Certified in Risk and InformationSystems Control). The certification positions IT professionals for careers that link IT riskmanagement with enterprise risk management. The CRISC areas of knowledge include riskmanagement components, making it of interest to upper-level InfoSec managers. The examcovers the following areas, as described in the "ISACA Exam Candidate Information Guide2015" and the ISACA CRISC Web site:"

"1. Risk Identification (27 percent)—Identify the universe of IT risk to contribute to theexecution of the IT risk management strategy in support of business objectives and inalignment with the enterprise risk management (ERM) strategy." "2. Risk Assessment (28 percent)—Analyze and evaluate IT risk to determine the likelihood—Analyze and evaluate IT risk to determine the likelihood—and impact on business objectives to enable risk-based decision making." "3. Risk Response and Mitigation (23 percent)—Determine risk response options and evalu-ate their efficiency and effectiveness to manage risk in alignment with business objectives." "4. Risk and Control Monitoring and Maintenance (22 percent)—Continuously monitorand report on IT risk and controls to relevant stakeholders to ensure the continued effi-ciency and effectiveness of the IT risk management strategy and its alignment to busi-ness objectives."

"The exam covers the following areas of information systems auditing as described in the"ISACA Exam Candidate Information Guide 2015" and the ISACA CISA Web site:"

"1. The Process of Auditing Information Systems (14 percent)—Provide audit services inaccordance with IT audit standards to assist the organization with protecting and con-trolling information systems." "2. Governance and Management of IT (14 percent)—Provide assurance that the necessaryleadership and organizational structures and processes are in place to achieve objectivesand to support the organization's strategy." "3. Information Systems Acquisition, Development, and Implementation (19 percent)—Provide assurance that the practices for the acquisition, development, testing, and imple-mentation of information systems meet the organization's strategies and objectives." "4. Information Systems Operations, Maintenance, and Support (23 percent)—Provideassurance that the processes for information systems operations, maintenance, and sup-port meet the organization's strategies and objectives." "5. Protection of Information Assets (30 percent)—Provide assurance that the organiza-tion's security policies, standards, procedures, and controls ensure the confidentiality,integrity, and availability of information assets."

"chief information officer (CIO): "

"An executive-level position that oversees the organization'scomputing technology and strives to create efficiency in the processing and access of theorganization's information."

"Formerly known as the Information Systems Audit and Control Association, ISACA pro-motes four certifications: "

"Certified Information Security Manager (CISM), Certified in theGovernance of Enterprise IT (CGEIT), Certified in Risk and Information Systems Control(CRISC), and Certified Information Security Auditor (CISA)."

"• Managing the InfoSec office personnel:"

"Determine positions and personnel necessary to accomplish InfoSec goals. Request staff-ing positions, screen personnel, and take the lead in the interviewing and hiring process." "Develop meaningful job descriptions. Communicate expectations and actively coach personnel for success." "Prioritize and assign tasks. Review performed work. Challenge staff to better themselves and advance the level of service provided." "Provide meaningful feedback to staff on an ongoing basis and formally appraise performance annually."

"The best method of preventing SE attacks is preparation. All employees must betrained and aware of the potential for these types of attacks. Security education,training, and awareness programs that focus on SE attacks can provide the organiza-tion with invaluable preparation and prevention techniques. Some additional preven-tion methods, along with the attacks they intend to thwart, include the following:"

"For the physical building: •Personnel and SecurityTo avoid unauthorized physical access to the facility, ensure all employees haveand use ID cards/name badges at all times, and when possible have physicalsecurity employees on site to monitor access. To prevent someone from digging through the dumpster, keep them in monitoredand protected areas with regular inspections by physical security personnel."

"Only after passing all required portions of this examination process can the GIAC candidateearn the "

"GSE. Once earned, the GSE must be maintained by passing the written exam everyfour years, in lieu of continuing education. Passing the GSE exam automatically renews theprerequisite certifications needed to qualify for the GSE."

"Two methods for handling employee outprocessing, depending on the employee's reasons forleaving, are as follows:"

"Hostile Departure (Usually Involuntary), Including Termination, Downsizing, Lay-Personnel and SecurityOff, or Resignation—Security cuts off all logical and keycard access before theemployee is terminated" "Friendly Departure (Voluntary) for Retirement, Promotion, or Relocation—Theemployee may have tendered notice well in advance of the actual departure date, whichcan make it much more difficult for security to maintain positive control over theemployee's access and information usage.

"Each concentration requires that the applicant be a CISSP in good standing,pass a separate examination, and maintain the certification in good standing through ongo-ing continuing professional education. These concentrations and their respective areas ofknowledge are shown here as they are presented on the (ISC)2 Web site:"

"ISSAP®: Information Systems Security Architecture Professional" "• Access control systems and methodology • Communications and network security • Cryptography" "Security architecture analysis" "• Technology-related business continuity planning and disaster recovery planning • Physical security considerations"

"Some of the com-mon types of background checks are as follows:

"Identity Checks—Personal identity validation" "Education and Credential Checks—Institutions attended, degrees and certifications earned, and certification status" • Previous Employment Verification—Where candidates worked, why they left, what—they did, and for how long" "• Reference Checks—Validity of references and integrity of reference sources • Worker's Compensation History—Claims from worker's compensation • Motor Vehicle Records—Driving records, suspensions, and other items noted in theapplicant's public record" "• Drug History—Drug screening and drug usage, past and present • Medical History—Current and previous medical conditions, usually associated withphysical capability to perform the work in the specified position • Credit History—Credit problems, financial problems, and bankruptcy • Civil Court History—Involvement as the plaintiff or defendant in civil suits • Criminal Court History—Criminal background, arrests, convictions, and timeserved"

"Wood's Information Security Roles and Responsibilities Made Easy, Version 3 defines anddescribes the CISO position, which he calls the information security department manager, asfollows:"

"Job Title: Information Security Department Manager [Also known as Information SecurityManager, Information Systems Security Officer (ISSO), Chief Information Security Officer(CISO), Chief Information Security Strategist, or Vice President of Information Security. Notethat if the Chief Security Officer [...] does not exist at the organization in question, and is notappropriate at this point in time, then some of the CSO duties may instead be performed bythe Information Security Department Manager.] Department: Information Security Reports To: Chief Information Officer (CIO) [Most common but least recommended option],Chief Operating Officer (COO), Chief Financial Officer (CFO), Chief Executive Officer (CEO)[The latter is the most desirable option ...], Chief Security Officer (CSO), or Chief LegalCounsel... Dotted Line: Board of Directors Audit Committee Summary: The Information Security Department Manager directs, coordinates, plans, and orga-nizes InfoSec activities throughout Company X. He or she acts as the focal point for all commu-nications related to InfoSec, both with internal staff and third parties. The Manager works witha wide variety of people from different internal organizational units, bringing them together to manifest controls that reflect workable compromises as well as proactive responses to currentand future InfoSec risks."

"The CompTIA Advanced Security Practitioner is the organization's newest "

"Mastery-level cer-tification. "The CASP exam covers the technical knowledge and skills required to conceptual-ize, design, and engineer secure solutions across complex enterprise environments. It involvesapplying critical thinking and judgment across a broad spectrum of security disciplines topropose and implement solutions that map to enterprise drivers, while managing risk."30 Themultiple-choice exam certification requires ten years' experience in IT with a minimum of fiveyears of technical, hands-on, security experience. "

"Only by scrutinizing system logs during the transition period and after theemployee has departed, and sorting out authorized actions from system misuse or informa-tion theft, can the organization determine whether

"a breach of policy or a loss of informa-tion has occurred. If information has been illegally copied or stolen, it should be treated asan incident and the appropriate policy followed."

"In addition to taking on these roles and responsibilities, CISOs should follow six key princi-ples to shape their careers:"

"Practice Business Engagement: It is important to build professional relationships with""key stake holders in the organization. These relationships become key to understandingthe level of investment needed to support various areas of the organization that areoutside the CISO's areas of expertise." "Focus Initiatives on What Is Learned:"The knowledge gained from business engagement becomes a tool in developing and prioritizing efforts for the InfoSec department.Security initiatives and strategies will naturally follow the needs of the organization andincrease support from those stakeholders." "• Align, Target, and Time Initiatives—Once the priority of effort is developed, alongwith stakeholder buy-in, it is important to convey resource availability and constraintsto the organization to maintain organizational support and confidence. This informa-tion, along with an understanding of the requirements of the department for bothplanned and unplanned security efforts, will help manage expectation" " Deliver Services—Maintaining a professional "sales and service" perspective for theorganization will enhance the organization's opinion of the InfoSec department's value.The CISO should focus on communicating with the business stakeholders and execu-tive management using appropriate nontechnical language, and emphasize the value-added, return-on-investment contribution of the InfoSec department." "• Establish and Maintain Credibility—A CISO should promote the value of the InfoSecdepartment, highlighting its skill, expertise, and quality of efforts. The CISO shouldseek to elevate his or her visibility through internal involvement in the organization andexternal involvement within the field. This credibility will benefit not only the CISO(professionally) but the value of the department within the organization." "• Manage Relationships—Finally, the CISO should understand the decision makers in theorganization and cultivate professional relationships with those decision makers. Hav-ing a relationship with other decision makers will enable the CISO to understand betterhow someone who evaluates alternatives and provides or recommends resource distri-bution is important."

"the 20+ GIAC certifications can be pursued with "

"SANS training or without it (the latteroption is known as challenge certification). GIAC certifications not only test for knowledge,they require candidates to demonstrate application of that knowledge. With the introductionof the GIAC Information Security Professional (GISP) and the GIAC Security Leadership Cer-tification (GSLC), the SANS Institute now offers more than just technical certifications. Unlikeother certifications, some GIAC certifications require the applicant to complete a written prac-tical assignment that tests the applicant's ability to apply skills and knowledge. These assign-ments are submitted to the SANS Information Security Reading Room for review by securitypractitioners, potential certificate applicants, and others with an interest in InfoSec. Onlywhen the practical assignment is complete is the candidate allowed to take the online exam."

"A paper written by David Gragg and published by the SANS Institute overviews amultilayered defense against SE. Each layer offers some defense against an employeebeing compromised and, taken as a whole, offers the best defense. In his paper,Gragg defines the following layers of defense:"

"Security Policy Addressing Social Engineering—All organizations should—All organizations should—have clearly stated objectives for strong security, as stated in an effectivepolicy specifically addressing SE. Security Awareness Training for All Users—Security Awareness Training for All Users—Security Awareness Training for All Users Guidelines and motivation forall employees to understand data value, prevent information disclosure,and question inquisitive strangers and acquaintances. Resistance Training for Key Personnel—Resistance Training for Key Personnel—Resistance Training for Key Personnel Preparing employees not only tofocus on InfoSec, but also to be resistant to threats and attacks. Ongoing Reminders—Ongoing Reminders—Ongoing Reminders Regular reminders of the need to be conscientious. Social Engineering Land Mines (SELM)—Traps set up to identify and expose—an SE attack.— Incident Response—The need for a centralized and organized response to—SE attacks when they occur"

"There are various ways of monitoring and controlling employees to minimize theiropportunities to misuse information. "

"Separation of duties (also known as segregation ofduties) makes it difficult for an individual to violate InfoSec and breach the confidentiality, integrity, or availiabilitiy of info. " "For example, banks typically require that it take two employees toissue a cashier's check. The first is authorized to prepare the check, acquire the num-bered financial document, and ready the check for signature. The second, usually asupervisor, is authorized to sign the check. If one person has the authority to do bothtasks, then that person can prepare checks made out to co-conspirators, sign them, andsteal large sums from the bank.

"The Certified Information Systems Auditor (CISA) certification, while not specificallya security certification, does include many InfoSec components. ISACA promotes the certifi-cation as being appropriate for auditing, networking, and security professionals. CISArequirements are as follows:"

"Successful completion of the CISA examination" "Experience as an InfoSec auditor, with a minimum of five years' professional experi-""ence in information systems auditing, control, or security" "• Agreement to the Code of Professional Ethics" "•Payment of maintenance fees, a minimum of 20 contact hours of continuing educationannually, and a minimum of 120 contact hours during a fixed three-year period" "• Adherence to the Information Systems Auditing Standards"

"Responsibilities and Duties:"

"The Information Security Department Manager is responsible forenvisioning and taking steps to implement the controls needed to protect both Company Xinformation as well as information that has been entrusted to Company X by third parties.The position involves overall Company X responsibility for InfoSec regardless of the form thatthe information takes (paper, blueprint, CD-ROM, audio tape, embedded in products or pro-cesses, etc.), the information handling technology employed (portable computers, wirelessdevices, smart phones, fax machines, telephones, local area networks, file cabinets, etc.), or thepeople involved (contractors, consultants, employees, vendors, outsourcing firms, etc.)."

"builders."

"They're the real techies, who create and install security solutions"

"In regard to professional certification for InfoSec practitioners, Charles Cresson Woodreports the following:"

"With résumé fraud on the rise, one of the sure-fire methods for employers to besure that the people they hire are indeed familiar with the essentials of the field isto insist that they have certain certifications. The certifications can then be checkedwith the issuing organizations to make sure that they have indeed been conferredon the applicant for employment. [...] The [...] professional certifications are rele-vant primarily to centralized information security positions. They are not generallyrelevant to staff working in decentralized information security positions, unlessthese individuals intend to become information security specialists. You may alsolook for these certifications on the résumés of consultants and contractors workingin the information security field. You may wish to list these designations in helpwanted advertisements, look for them on résumés, and ask about them duringinterviews. Automatic résumé scanning software can also be set up to search forthese strings of characters."

"A security manager is"

"accountable for the day-to-day operation ofall or part of the InfoSec program. They accomplish objectives identified by the CISO andresolve issues identified by the technicians. Security managers are often assigned specificmanagerial duties by the CISO, including policy development, risk assessment, contingencyplanning, and operational and tactical planning for the security function. They often liaise with managers from other departments and divisions in joint planning and development sec-tions, such as security functions in human resources hiring and termination procedures,plant operations in environmental controls, and physical security design."

"The Security+ certification program is designed to test for "

"basic security knowledge mastery ofa person who has two years of on-the-job networking experience, with an emphasis on security.The exam covers industry-wide topics, including communication security, infrastructure security,cryptography, access control, authentication, external attack, and operational and organizationsecurity. CompTIA Securityþ curricula are being taught at colleges, universities, and commercialtraining centers around the globe. CompTIA Securityþ is being used as an elective or prerequi-site to advanced vendor-specific and vendor-neutral security certifications."

"The Department of Homeland Security and the National SecurityAgency jointly sponsor a program to recognize some of the "

"best institutions through the Centersof Academic Excellence (CAE) program. The program was founded by the NSA in 1998; DHSjoined in 2004 in response to the President's National Strategy to Secure Cyberspace."

"The breadth and depth covered in each of the 10 domains makes CISSP certification one ofthe most"

"challenging InfoSec certifications to obtain. Holders of the CISSP must earn a spe-cific number of continuing education credits every three years to retain the certification.Once candidates successfully complete the exam, they may be required to submit anendorsement by an actively credentialed CISSP or by their employer, who can serve as a ref-erence for their professional experience."

"Organizations sometimes hire self-employed or agent contractors—typicallycalled"

"consultants—for specific tasks or projects. Consultants have their own security require-ments and contractual obligations; their contracts should specify their rights of access to infor-mation and facilities. Security and technology consultants must be prescreened, escorted, andsubjected to nondisclosure agreements to protect the organization from intentional or acciden-tal breaches of confidentiality."

"CISOs are business managers first and technologists second, they must be"

"conversant in all areas of InfoSec, including technology, planning, andpolicy. They are expected to draft or approve a range of InfoSec policies. They also workwith their CIOs and other executive managers on strategic planning, they develop tacticalplans, and they work with security managers on operational planning. Finally, they developInfoSec budgets based on available funding, and they make decisions or recommendationsabout purchasing, project and technology implementation, and the recruiting, hiring, andfiring of security staff. Ultimately, the CISO is the spokesperson for the security team and isresponsible for the overall InfoSec program."

"Background checks differ in their levels of

"detail and depth. In the military, backgroundchecks are used to help determine the individual's security clearance. In the business world,the thoroughness of a background check can vary with the level of trust required for theposition being filled. Candidates for InfoSec positions should expect to undergo a reason-ably detailed and thorough background check. Those applying for jobs in law enforcementor high-security positions may be required to submit to polygraph tests. "

background check should be conducted before the organization"

"extendsan offer to any candidate, regardless of job level. A background check can uncover past criminalbehavior or other information that suggests a potential for future misconduct or a vulnerabilitythat might render a candidate susceptible to coercion or blackmail. A number of regulationsgovern which areas organizations are permitted to investigate and how the information gatheredcan influence the hiring decision. The security and human resources managers should discussthese matters with legal counsel to determine which local and state regulations apply."

"Contract employees—often called contractors—are typically"

"hired to perform specific services for the organization. In many cases, they are hired via athird-party organization. Typical contract employees include groundskeepers, maintenanceservices staff, electricians, mechanics, and other repair people, but they can also include pro-fessionals, such as attorneys, technical consultants, and IT specialists."

"Some organizations use members of the HR staff to perform "

"hiring interviews,while others prefer to include members of the department that the employee will eventuallyjoin. When a position within the InfoSec department opens up, the security manager can takethe opportunity to educate HR personnel on the various certifications, the specific experienceeach credential requires, and the qualifications of a good candidate. In general, the InfoSecdepartment should advise human resources to limit the information provided to the candidateson the access rights of the position. When an interview includes a site visit, the tour shouldavoid secure and restricted sites because the job candidate is not yet bound by organizationalpolicy or employment contract and could observe enough information about the operations orInfoSec functions to represent a potential threat to the organization."

"(ISC)2 has an innovative approach to the experience requirement inits certification program. Its Associate of (ISC)2 program is geared toward "

"individuals whowant to take any of its certification exams before obtaining the requisite experience for cer-tification. Those who successfully complete an (ISC)2 certification examination may promotethemselves as an Associate of (ISC)2 and may petition (ISC)2 for the full certification as soonas they complete the experience requirements.(ISC)2 has recently begun providing certification examinations exclusively via computer-based testing, which has greatly improved its exam-offering schedules and locations."

"Threats to information and information systems addressed by the Information SecurityDepartment Manager and his or her staff include, but are not limited to: "

"information unavailability, information corruption, unauthorized information destruction, unautho-rized information modification, unauthorized information usage, and unauthorized infor-mation disclosure. These threats to information and information systems includeconsideration of physical security matters only if a certain level of physical security is nec-essary to achieve a certain level of InfoSec [for example, as is necessary to prevent theft ofportable computers]"

"businesses sometimes engage in strategic alliances with other organi-zations to exchange "

"information, integrate systems, or enjoy some other mutual advantage.In these situations, a prior business agreement must specify the levels of exposure that bothorganizations are willing to tolerate. Sometimes, one division of an organization enters astrategic partnership with another organization that directly competes with one of its owndivisions. If the strategic partnership evolves into an integration of the systems of both com-panies, competing groups may be provided with information that neither parent organiza-tion expected. " "Non-disclosure agreements are an important part of any such collaborative effort. The level ofsecurity of both systems must be examined before any physical integration takes place, assystem connection means that vulnerability on one system becomes vulnerability for all linked systems."

"Many InfoSec professionals enter the field after having prior careers in "

"law enforcement orthe military, or careers in other IT areas, such as networking, programming, database admin-istration, or systems administration. Recently, college graduates who have tailored theirdegree programs to specialize in InfoSec have begun to enter the field in appreciable numbers."

"Finally, another important way to minimize opportunities for employee misuse of informa-tion is to"

"limit access to it through need to know and least privilege. These concepts were dis-cussed in previous chapters."

"Like network technicians, security technicians tend to be specialized, focusing on one "

"major security technology group (firewalls, IDPSs, servers, routers, and software) and then furtherspecializing in a particular software or hardware package within the group (such as CheckPoint firewalls, Cisco advanced security appliances, or Tripwire IDPSs). These areas are suf-ficiently complex to warrant this level of specialization. Security technicians who want tomove up in the corporate hierarchy must expand their technical knowledge horizontallyand obtain an understanding of the general organizational side of InfoSec as well as all tech-nical areas."

"For similar reasons, many organizations implement a"

"mandatory vacation policy thatrequires employees to take a vacation of at least one week per year. This policy gives theorganization a chance to perform a detailed review of everyone's work and work area.Employees who are stealing from an organization or otherwise misusing information orsystems are reluctant to take vacations for fear that their actions will be detected if theyare not present to conceal them."

"Among other things, FCRA prohibits employers from "

"obtaining a credit report unless thecandidate gives written permission for such a report to be released. This regulation alsoallows the candidate to request information on the nature and type of reporting used inmaking the employment decision, and to know the content of these reports and how theywere used in making the hiring decision. FCRA restricts the time period that these reportscan address. Unless the candidate earns more than $75,000 per year, they can contain onlyseven years of adverse information"

"Organizations are required by law to protect sensitive or"

"personal employee information,including personally identifying facts, such as employee addresses, phone numbers, SocialSecurity numbers, medical conditions, and even names and addresses of family members.This responsibility also extends to customers, patients, and anyone with whom the organiza-tion has business relationships. While personnel data is, in principle, no different than otherdata that InfoSec is expected to protect, certainly more regulations cover its protection. As aresult, InfoSec procedures should ensure that this data receives at least the same level of pro-tection as the other important data in the organization."

"Organizations must comply with federal regulations regarding the use of "

"personal infor-mation in employment practices. Among those regulations is the Fair Credit ReportingAct (FCRA), enacted in 1970, which governs the activities of consumer credit reportingagencies as well as the uses of the information procured from these agencies. Creditreports contain information on a job candidate's credit history, employment history, andother personal data."

"Definers provide the "

"policies, guidelines, and standards.... They're the peoplewho do the consulting and the risk assessment, who develop the product andtechnical architectures. These are senior people with a lot of broad knowledge,but often not a lot of depth. "

"The CISSP certification, considered to be the most "

"prestigious certification for secu-rity managers and CISOs, recognizes mastery of an internationally identified common bodyof knowledge (CBK) in InfoSec. To sit for the CISSP exam, the candidate must have at leastfive years of direct, full-time security professional work experience in two or more of 10 domains or four years of direct security work experience in two or more domains and afour-year college degree."

"GIAC certifications can be "enhanced" through the "

"pursuit of Gold or Expert status. Goldstatus indicates that the professional has also written and published a technical report orwhite paper, in cooperation with a GIAC advisor. Expert status requires additional, multi-day hands-on testing, which is offered annually and covers real-world security scenarios,research and writing assignments, and security exercises and presentations."

integrating InfoSec into the hiring process begins with "

"reviewing andupdating job descriptions to include InfoSec responsibilities and screen for unwanted disclo-sures. Organizations that provide complete job descriptions when advertising open positionsshould omit the elements of the job description that describe access privileges. Individualswho want to gain access to an organization's information may seek positions within itbased on the description of access. Job descriptions should be focused on the skills and abil-ities needed by the candidate rather than describing the organization's systems and security,and details of the access or responsibilities the new hire will have."

"While professional contractors may require access to virtually all areas of the organizationto do their jobs, service contractors usually need access only to "

"secure facility, all ser-vice contractors are escorted from room to room, and into and out of the facility. Whenthese employees report for maintenance or repair services, someone must verify that servicesare actually scheduled or requested. " "Any service agreements orcontracts should contain the following regulations: The facility requires 24-48 hours' noticeof a maintenance visit; the facility requires all on-site personnel to undergo backgroundchecks; and the facility requires advance notice for cancellation or rescheduling of a mainte-nance visit."

"The International Information Systems Security Certification Consortium ((ISC)2; www.isc2.org) offers "

"security certifications, among them the Certified Information Systems SecurityProfessional (CISSP), the Systems Security Certified Practitioner (SSCP), and the CertifiedSecure Software Lifecycle Professional (CSSLP)."

"From an InfoSec perspective, the hiring of employees is laden with potential"

"security pitfalls.The CISO, in cooperation with the CIO and relevant InfoSec managers, should establish adialogue with human resources (HR) personnel so that InfoSec considerations become partof the hiring process. Figure 11-4 highlights some of the hiring concerns."

"Wood's job description for the InfoSec department manager (provided earlier in this chap-ter) assumes that a"

"single management-level professional performs all the organization'sInfoSec management functions. In such a case, the security manager and the CISO are thesame person. However, larger organizations that require 24/7 management oversight gener-ally have several positions that collaborate to fulfill the functions that Wood describes. "

"Forexample, an InfoSec manager-of-managers—the CISO—may"

"supervise managers who areaccountable for specialized areas. These managers directly supervise the analysts, techni-cians, and support staff, and often have additional managerial responsibilities."

"Temporary workers—often called temps—are brought in byorganizations to fill positions temporarily or to "

"supplement the existing workforce. In manycases, they are actually employees of a temp agency, a company that is paid to supply spe-cially qualified individuals to an organization. Temps frequently provide secretarial oradministrative support but can be used to fill almost any position in an organization, includ-ing executive positions. These workers are often exposed to a wide range of information asthey perform their assigned duties. Because they are not employed by the organization forwhich they are working, however, they may not be subject to the contractual obligations orgeneral policies that govern other employees. Therefore, if a temp violates a policy or causesa problem, the strongest action that the host organization can take is to terminate the rela-tionship with the individual and request that he or she be censured. The employing agencyis under no contractual obligation to do so but may want to accommodate a powerful orlucrative client. Unless specified in its contract with the organization, the temp agency maynot be liable for losses caused by its workers."

"Other controls used to prevent personnel from misusing information assets are job rotationand "

"task rotation. Both job rotation and task rotation ensure that no one employee is per-forming actions that cannot be knowledgeably reviewed by another employee. In general,this overlap of knowledge is just good business sense. Among the many threats to an organi-zation's information, a major concern is the inability to perform the tasks of an employeewho is unable or unwilling to perform them. If everyone knows at least part of another per-son's job (a human random array of independent disks [RAID] system), the organization cansurvive the loss of any single employee."

"An InfoSec Engineer provides "

"technical assistance with the design, installation, opera-tion, service, and maintenance of a variety of multiuser InfoSec systems such as virtual privatenetworks (VPNs) and cloud-based data replication systems. A hands-on technical specialist, anEngineer handles the complex and detailed technical work necessary to establish security sys-tems such as firewalls and encryption-based digital signature software. An Engineer configuresand sets up InfoSec systems such as Intrusion Detection Systems, or else trains others such asAccess Control System Administrators, Systems Administrators, Network Administrators, and/or Database Administrators to do these tasks themselves."

"In 1999, the SANS Institute, formerly known as the System Administration, Networking, andSecurity Institute (www.sans.org), developed a series of"

"technical security certificationsknown as the Global Information Assurance Certification (GIAC; www.giac.org). Currently,the institute offers formal training (through SANS training) and certifications (throughGIAC). In fact, the institute treats the two areas as separate business units, referring to alltraining as SANS and all certifications as GIAC."

"A security technician is a"

"technically qualified individual who mayconfigure firewalls and intrusion detection and prevention systems (IDPSs), implement secu-rity software, diagnose and troubleshoot problems, and coordinate with systems and net-work administrators to ensure that security technical controls are properly implemented."

"The first thing an employee must do to defend against an SE attack is to"

"tell some-one. The organization should have an established procedure for reporting suspectedSE attacks. If the organization uses some form of caller ID, the number of the sus-pected SE attacker should be documented and reported. The organization's incidentresponse team should log these attacks and treat them no differently than anyother form of attack."

domain 4 includes

"the domainincludes subdomains in the following areas: Access Control Social Engineering, Phishing Attacks, Identity Theft Physical Security Risk Management Disaster Recovery and Business Continuity Planning Firewall, IDS/IPS, and Network Defense Systems Wireless Security Virus, Trojan, and Malware Threats Secure Coding Best Practices and Securing Web Applications Hardening Operating Systems Encryption Technologies Vulnerability Assessment and Penetration Testing Computer Forensics and Incident Response"

"the people whooperate and [administer] the security tools"

"the security monitoring function, andthe people who continuously improve the processes. This is where all the day-to-day, hard work is done. "

"As you learned in Chapter 5, Schwartz et al. classify InfoSec positions into one of three areas:"

"those that define, those that build, and those that administer:"

"The oddsthat two people will be able to collaborate successfully to misuse the system are muchlower than the odds of one person doing so. A practice similar to separation of duties,known as "

"two-person control (or dual control), requires that two individuals completea task together, and in some cases review and approve each other's work before thetask is considered complete. Figure 11-5 illustrates separation of duties and two-personcontrol."

"The role of security technician is the "

"typical InfoSec entry-level position, albeit a technicalone. One dilemma for those seeking employment in the field is that it does require a certainlevel of technical skill, which can be difficult to obtain without experience. As a result, secu-rity technicians are likely to be IT technicians who have adopted a different career path."

"Management of technology requires an"

"understanding of the technology that is administeredbut not necessarily proficiency in its configuration, operation, or fault resolution. Managinga technology is very different from administering it. For example, systems administrators are expected to be very technically proficient in the technology used by the systems under theircontrol, and they are responsible for ensuring that systems are used in compliance with theorganization's policies. They may have some management functions, but they are not heldaccountable, as managers are. "

" most common qualifications for theCISO include "

"working as a security manager as well as experience in planning, policy, andbudgets. The most common certifications include the Certified Information Systems SecurityProfessional (CISSP) and the Certified Information Security Manager (CISM)"

"The SSCP exam consists of 125 multiple-choice questions and must be completed withinthree hours. It covers seven domains:"

"• Access Controls Risk Identification, Monitoring, and Analysis Security Operations and Administration Cryptography Network and Communications Security Incident Response and Recovery Systems and Application Security" "Many consider the SSCP to be a scaled-down version of the CISSP. The seven domains arenot a subset of the CISSP domains; they contain slightly more technical content. Just aswith the CISSP, SSCP holders must earn continuing education credits to retain the certifica-tion or else they must retake the exam"

"The CISSP exam consists of 250 multiple-choice questions (with four choices each) and mustbe completed within six hours. It covers the following 10 domains of InfoSec knowledge:"

"• Access control • Business continuity and disaster recovery planning" "• Cryptography Legal, regulations, investigations, and compliance Operations security InfoSec governance and risk management Physical (environmental) security Security architecture and design Software development security Telecommunications and network security"

Responsibilities & Duties (continued) 4

"• Acts as an external representative for Company X in the event of a hacker break-in orsome other InfoSec-relevant event [This may involve news media interviews, discussionswith concerned customers, etc.]" "• Acts as an expert witness in InfoSec-related legal proceedings involving Company X" "•Provides technical InfoSec consulting assistance for Company X staff disciplinarymeasures, civil suits, and criminal prosecutions, if and when needed" "Initiates and manages special projects related to InfoSec that may be needed to appropri-ately respond to ad hoc or unexpected InfoSec events" "Provides technical support consulting services on matters related to InfoSec such as thecriteria to use when selecting InfoSec products" "Performs management and personnel administration functions associated with CompanyX's Information Security Department (coaches employees, hires and fires employees, disci-plines employees, reviews employee performance, recommends salary increases and promo-tions, counsels employees, establishes employee task lists and schedules, trains staff, etc.)•••" "• Acts as the primary liaison and decision-maker regarding the work of InfoSec consultants,contractors, temporaries, and outsourcing firms" "Stays informed about the latest developments in the InfoSec field, including new productsand services, through online news services, technical magazines, professional associationmemberships, industry conferences, special training seminars, and other methods•"

Responsibilities & Duties (continued)

"• Acts as the central point of contact within Company X when it comes to all communica-tions dealing with InfoSec, including vulnerabilities, controls, technologies, human factorsissues, and management issues" "• Establishes and maintains strong working relationships with the Company X groups involved with InfoSec matters (Legal Department, Internal Audit Department, PhysicalSecurity Department, Information Technology Department, Information Security Man-agement Committee, etc.) [Note that the Information Security Department Manager is,in most cases, the chairperson of the Information Security Management Committee.]" "• Establishes, manages, and maintains organizational structures and communications chan-nels with those responsible for InfoSec; these responsible parties include individuals withinCompany X departments (such as Local Information Security Coordinators) as well asCompany X business partners (outsourcing firms, consulting firms, suppliers, etc.)" "• Assists with the clarification of individual InfoSec responsibility and accountability so thatnecessary InfoSec activities are performed as needed, according to pre-established proce-dures, policies, and standards" "• Coordinates the InfoSec efforts of all internal groups, to ensure that organization-wideInfoSec efforts are consistent across the organization, and that duplication of effort isminimized [The Physical Security Department Manager does the same duty, but only forphysical security efforts.]" "• Coordinates all multi-application or multisystem InfoSec improvement projects at Com-pany X [A good example would be converting all operating system access control systemsto enforce a standard minimum password length.]" "• Represents Company X and its InfoSec-related interests at industry standards committeemeetings, professional association meetings, InfoSec technical conferences, industry-"specific Internet discussion groups, and similar public forums [Smaller or less visible orga-nizations will generally dispense with this duty. If the CSO role is going to be adopted inaddition to the Information Security Department Manager role, then who represents theorganization in what public forums will need to be clarified.]"

"ISSMP®: Information Systems Security Management Professional Enterprise Security Man-agement Practice"

"• Business continuity planning and disaster recovery planning •Security management practices System development security Law, investigations, forensics, and ethics Security compliance management"

"In addition to the CISSP and its concentrations, and theSSCP, (ISC)2 offers additional, specialized certifications:"

"• Certified Authorization Professional (CAP)—For individuals responsible for maintainingand authorizing systems. Authorization was discussed in Chapter 9. • Certified Cyber Forensics Professional (CCFP)—For individuals with digital forensicsresponsibility. Digital forensics was discussed in Chapter 10." "• Certified Cloud Security Professional (CCSP)—For individuals with responsibility forcloud-based systems security. Cloud security is discussed in Chapter 12. • Certified Secure Software Lifecycle Professional (CSSLP)—For individuals withresponsibility for the development and implementation of secure software. The systemsdevelopment life cycle was discussed in Chapter 1. • Health Care Information Security and Privacy Practitioner (HCISPP)—For individualsworking in the health care field, or with responsibilities to manage, audit, or securehealth care systems. Health care security regulations were discussed in Chapter 2."

"The EC-Council also offers a host of other security-related certifications:"

"• Certified Ethical Hacker • Computer Hacking Forensics Investigator • Licensed Penetration Tester • Certified Security Analyst • Network Security Administrator • Certified Incident Handler" "• Disaster Recovery Professional • Certified Secure Computer User • Certified Network Defense Architect • Certified Security Specialist • Certified Secure Programmer • Certified VoIP Professional • Certified Encryption Specialist"

"IT Community:"

"• Chief information officer • Chief technology officer •InfoSys analyst/business analyst Systems programmer Business applications programmer Computer operations manager Computer operator Data librarian" "InfoSys quality assurance analyst" "• Help desk specialist • Archives manager/records manager • Telecommunications manager" "Systems administrator/network administrator" "• Web site administrator/commerce site administrator • Database administrator • Data administration manager"

"The following list of positionswith InfoSec elements, which is drawn from Information Security Roles and ResponsibilitiesMade Easy, Version 3, shows the breadth of job titles that may be affected. The job descrip-tion elements have been grouped according to the community of interest. Information Security Community:"

"• Chief security officer •InfoSec department manager" "• Access control system administrator •Internal InfoSec consultant InfoSec engineer Security monitoring systems specialist InfoSec documentation specialist InfoSys contingency planner Local InfoSec coordinator"

"Information Security Engineer Responsibilities and Duties:" (continued)

"• Compiles, maintains, and documents a collection of software that is able to trace thesource of and otherwise investigate attacks on Company X systems [Forensic tools are anexample of this software.]" "• Acts as a technical consultant on InfoSec incident investigations and forensic technicalanalyses [An example of such a forensic analysis would be determining whether a certainuser had been downloading pornography with Company X computers, and then deletingthese files from his or her desktop computer.]" "• Conducts selected tests of InfoSec measures in accordance with specific instructions pro-vided by the Information Security Department Manager [This effort usually includeswhite hat penetration tests.]" "Interprets InfoSec policies, standards, and other requirements as they relate to a specificinternal information system, and assists with the implementation of these and other Info-Sec requirements•" "• Redesigns and reengineers internal information handling processes so that information isappropriately protected from a wide variety of problems including unauthorized disclo-sure, unauthorized use, inappropriate modification, premature deletion, and unavailability" "Serves as an active member of the CERT and participates in security incident responseefforts by, among other things, having an in-depth knowledge of common securityexploits, vulnerabilities, and countermeasures•" "• Develops technical documentation describing the deployment, configuration, and manage-ment of shared, networked, and multiuser InfoSec systems" "• Regularly attends conferences, professional association meetings, and technical symposiato remain aware of the latest InfoSec technological developments [An example would bedigital rights management (DRM) systems.]6"

Responsibilities & Duties (continued) 2

"• Completes, obtains management concurrence on, and formally files government formsand questionnaires dealing with InfoSec [Generally, this task this would appear in a jobdescription only in those industries which are highly regulated, such as financial institu-tions and health care providers.]" "Investigates the ways that InfoSec-related technologies, requirements statements, internalprocesses, and organizational structures can be used to achieve the goals found in theCompany X strategic plan [This effort should include consideration of the long-rangeinformation systems plan, which in turn should be an intermediate link between thebusiness strategic plan and the InfoSec plan.]•" "• Creates a strategic InfoSec plan with a vision for the future of InfoSec at Company X(utilizing evolving InfoSec technology, this vision meets a variety of objectives such asmanagement's fiduciary and legal responsibilities, customer expectations for secure mod-ern business practices, and the competitive requirements of the marketplace) [If the CSOrole is going to be adopted, then this InfoSec strategic plan can be a subsection of, andincorporated into, a five-year security plan prepared by the CSO.]" "• Understands the fundamental business activities performed by Company X, and based onthis understanding, suggests appropriate InfoSec solutions that adequately protect theseactivities" "• Develops action plans, schedules, budgets, status reports, and other top managementcommunications intended to improve the status of InfoSec at Company X" "• Obtains top management approval and ongoing support for all major InfoSec initiativesat Company X (or advises and assists others in their efforts with these proceedings)" "• Brings pressing InfoSec vulnerabilities to top management's attention so that immediateremedial action can be taken (this includes consideration of reputation risk and damage toCompany X's brand image)" "Performs and/or oversees the performance of periodic Company X risk assessments thatidentify current and future security vulnerabilities, determines the level of risk that man-agement has currently accepted, and identifies the best ways to reduce InfoSec risks[In a general sense, the Information Security Department Manager performs InfoSec riskmanagement or else establishes a management structure that has others (such as linemanagers) perform this function.]•" "• Examines InfoSec from a cross-organizational viewpoint including Company X's partici-pation in extranets, electronic data interchange (EDI) trading networks, ad hoc Internetcommerce relationships, and other new business structures, and makes related recommen-dations to protect Company X information and information systems [The prior para-graph discussing risk assessments deals with internal information systems, while thisparagraph is advisable whenever new multiorganizational networks are contemplatedor deployed.]"

"The newest competitor in the security management certification field, EC-Council now offersa Certified CISO (C|CISO) certification, which is designed to be a unique recognition forthose at the peak of their professional careers. The C|CISO tests not only security domainknowledge but executive business management knowledge. The C|CISO domains include thefollowing:"

"• Domain 1: Governance (Policy, Legal, and Compliance)—This domain focuses on theexternal regulatory and legal issues any CISO faces as well as the strategic InfoSecgovernance programs promoted in forward-thinking organizations. It also containsareas related to security compliance to ensure that the organization meets the laws andregulations applicable to it. And it includes areas of InfoSec standards such as FederalInformation Processing Standards and ISO 27000. Finally, it incorporates areas in riskmanagement." "• Domain 2: IS Management Controls and Auditing Management—includes knowledge areas associated with information systems controls and auditing,similar to those found in ISACA certifications. These include developing, implementing,and monitoring IS controls as well as reporting the findings to executive management.Auditing areas include planning, conducting, and evaluating audits in theorganization." "• Domain 3: Management-Project and Operations (Projects, Technology, and Opera-tions)—This domain contains basic managerial roles and responsibilities any securitymanager would be expected to have mastered. It includes the fundamentals of manage-ment covered in earlier chapters, including planning, organizing, staffing, directing, andcontrolling security resources." "• Domain 4: Information Security Core Competencies—This domain covers the commonbody of InfoSec knowledge that any CISO would be expected to possess. " "• Domain 5: Strategic Planning and Finance—This domain addresses those CISO tasksassociated with conducting strategic planning and financial management of the securitydepartment. The domain includes performance measures, IT investments, internal andexternal analyses, and developing and implementing enterprise security architecture"

"The International Society of Forensic Computer Examiners (ISFCE) offers the CertifiedComputer Examiner (CCE)® certification. To complete the CCE certification process, theapplicant must:"

"• Have no criminal record • Meet minimum experience, training, or self-training requirements • Abide by the certification's code of ethical standards • Pass an online examination •Successfully perform actual forensic examinations on three test media, reporting aftereach examination"

"General Business Community:"

"• Physical security department manager • Physical asset protection specialist • Building and facilities guard • Office maintenance worker • Mail room clerk" "•Internal audit department manager InfoSys auditor Internal intellectual property attorney Ethics officer" "• Chief knowledge officer • Chief compliance officer • Chief legal officer" "• Human resources department manager • Human resources consultant • Receptionist • Outsourcing contract administrator" "•In-house trainer Insurance and risk management department manager" "Insurance and risk management analyst "• Business contingency planner Chief financial officer Public relations manager Chief executive officer Purchasing agent"

"Information Security Engineer Responsibilities and Duties:"

"• Provides hands-on InfoSec technical consulting services to teams of technical specialistsworking on the integration of shared, centralized, and/or networked systems [Examples of such systems include an active data dictionary, a data warehouse, a data mart, and astorage area network (SAN).]" "Provides technical assistance with the initial set up, secure deployment, and proper man-agement of systems that support InfoSec including virus detection systems, spyware andadware detection systems, spam filtering systems, content control software systems, Website blocking systems, intrusion detection systems (IDSs), intrusion prevention systems(IPSs), and software license management systems [Other systems of this nature includesingle sign-on systems, centralized multiplatform access control databases, and enterprisesecurity management systems.]•" "• Offers technical InfoSec consulting services to distributed personnel who are responsiblefor one or more InfoSec systems; these people include Network Administrators, SystemsAdministrators, and Database Administrators" "• Evaluates information system bug reports, security exploit reports, and other InfoSecnotices issued by information system vendors, government agencies, universities, profes-sional associations, and other organizations, and as needed, makes recommendations tointernal management and technical staff to take precautionary steps [An example ofthese notices involves the periodic reports issued by the CERT at Carnegie-MellonUniversity.]" "• Acts as the primary technical support liaison in charge of distributing and loading updatesto anti-virus systems, IDSs, firewalls, data loss prevention systems, and other deployedsecurity systems within Company X" "• Configures and tunes one or more IDSs and IPSs to ensure that only authorized personnelhave access to Company X systems and networks, and that only authorized activity istaking place on Company X systems and networks [The monitoring of an IDS could bedone by computer operations staff, network operations staff, or a Monitoring SystemSpecialist. Note that a Systems Administrator may manage a host-based IDS and IPS,while this Engineer, or a Monitoring Systems Specialist, or another technical staff personin the Information Security Department, may manage a network-based IDS and IPS.]" "• Runs or works with others that periodically run vulnerability identification softwarepackages and related tools to immediately highlight errors in systems configuration, theneed for the update of software with fixes and patches, and other security-related changes[To leave this task solely to Systems Administrators introduces a conflict of interestbecause the results of such software will often indicate that Systems Administrators needto perform additional work. Internal Audit should also check up on the status of softwareupdates, patches, fixes, etc., to make sure all is as it should be.]" "• Runs, or works with others who periodically run, fixed password guessing software,unauthorized wireless network access point detection software, unprotected dial-upmodem identification software, and similar tools, and then informs those responsibleabout the need to change their systems to improve security [The first clause in this taskmay not be necessary if the organization in question has gotten away from user-chosenfixed passwords (and user-chosen encryption keys), perhaps through the use of dynamicpasswords along with digital certificates.]" "• With management authorization, collects, securely stores, and utilizes software that is ableto decrypt encrypted files, automatically guess user passwords, copy software that hasbeen copy-protected, or otherwise circumvent InfoSec measures [These tools may be criti-cal to off-site recovery efforts, successful security incident investigations, and otherspecial-situation security-related tasks.]"

"This program has three aspects:"

"• The Centers of Academic Excellence in Information Assurance Research (CAE-R)—Focused on doctoral-level research in InfoSec. • The Centers of Academic Excellence in Information Assurance/Cyber Defense (CAEIA/CD)—Focused on graduate and undergraduate InfoSec education in four-yearinstitutions. • The Centers of Academic Excellence in Two-Year Instructions (CAE2Y)—Focused ontechnical schools, community colleges, and government training centers."

"An organization can downsize, be bought out, be taken over, shut down, go out of busi-ness, or simply lay off, fire, or relocate its workforce. In any event, when an employeeleaves an organization, a number of security-related concerns arise. Chief among these isthe continuity of protection for all information to which the employee had access. Whenan employee leaves an organization, the following tasks must be performed:"

"• The former employee's access to the organization's systems must be disabled. • The former employee must return all removable media, technology, and data. • The former employee's hard drives must be secured.• File cabinet locks must be changed. • Office door locks must be changed. • The former employee's keycard access must be revoked. • The former employee's personal effects must be removed from the premises • The former employee should be escorted from the premises once keys, keycards, and""any remaining organizational property have been turned over." "in addition to performing these tasks, organizations should conduct an exit interview toremind the employee of any contractual obligations, such as nondisclosure agreements, and""to obtain feedback on the employee's tenure in the organization. At this time, the employeeshould be reminded that failure to comply with contractual obligations could lead to civil orcriminal action."

"To move the InfoSec discipline forward, organizations should take the following steps:"

"• The general management community of interest should learn more about the require-ments and qualifications for both InfoSec positions and relevant IT positions. • Upper management should learn more about InfoSec budgetary and personnel needs. • The IT and general management communities of interest should grant the InfoSecfunction—in particular, the chief information security officer (CISO)—an appropriate level of influence and prestige."

"When hiring InfoSec professionals at all levels, organizations frequently look for individuals who:"

"• Understand how organizations are structured and operated • Recognize that InfoSec is a management task that cannot be handled with technology alone • Work well with people in general, including users, and have strong written and verbalcommunication skills • Acknowledge the role of policy in guiding security efforts • Understand the essential role of InfoSec education and training, which helps makeusers part of the solution rather than part of the problem • Perceive the threats facing an organization, understand how these threats can becometransformed into attacks, and safeguard the organization from InfoSec attacks • Understand how technical controls (including firewalls, intrusion detection systems[IDSs], and anti-virus software) can be applied to solve specific InfoSec problems • Demonstrate familiarity with the mainstream information technologies, including themost popular and newest Windows, Linux, and UNIX operating systems • Understand IT and InfoSec terminology and concepts"

Responsibilities & Duties (continued) 3

"•Identifies laws, regulations, and legal contracts which define InfoSec requirements towhich Company X must comply, and maintains definitive evidence indicating whetherCompany X information systems are in compliance with these same requirements" "• Directs the development of, or originates self-assessment questionnaires and other toolsthat assist user department managers and other members of the management team in theirefforts to determine the degree of compliance with InfoSec requirements within theirrespective organizational units" "• Periodically initiates quality measurement studies to determine whether the InfoSec func-tion at Company X operates in a manner consistent with standard industry practices(these include customer satisfaction surveys, competitor benchmarking studies, industrybaseline controls comparisons, peer review comparison efforts, and internal tests)" "• Coordinates and directs the development, management approval, implementation, andpromulgation of objectives, goals, policies, standards, guidelines, and other requirementstatements needed to support InfoSec throughout Company X as well as within CompanyX business networks (such as extranets)" "• Provides managerial guidance to user department staff on the development of local,Personnel and Securitysystem-specific, and application-specific InfoSec policies, guidelines, standards, proce-dures, and responsibility designation" "• Assists with the establishment and refinement of procedures for the identification ofCompany X information assets as well as the classification of these information assetswith respect to criticality, sensitivity, and value" " Coordinates internal staff in their efforts to determine Company X InfoSec obligations according to external requirements (contractual, regulatory, legal, ethical, etc.)" "• Closely monitors changes in society's InfoSec-related ethics, values, morals, and attitudeswith an eye toward changes that Company X should make in response to thesedevelopments" "• Designs and manages business processes for the detection, investigation, correction, disci-plinary action, and/or prosecution related to InfoSec breaches, violations, and incidents[These efforts would, for example, include an intrusion detection system (IDS).]" "• Manages internal Company X activities pertaining to the investigation, correction, prose-cution, and disciplinary action needed for the resolution of InfoSec breaches, violations,and incidents (whether actual or alleged)" "• Prepares postmortem analyses of InfoSec breaches, violations, and incidents to illuminatewhat happened and how this type of problem can be prevented in the future" "Directs the preparation of information systems contingency plans and manages workergroups, such as computer emergency response teams (CERTs), that respond to InfoSec-relevant events (hacker intrusions, virus infections, denial-of-service (DoS) attacks, etc." " Works with the Public Relations department and top management to develop suitablepublic responses to InfoSec incidents, violations, and problems [These responses should bescripted and ready-to-go, as well as decided upon in an ad hoc manner based on pre-established criteria.]"

"The following is a list of duties that organizations expect their security managers to be com-petent at:"

"•Providing the organization with InfoSec oversight:" "Maintain current and appropriate body of knowledge necessary to perform the InfoSec management function." "Effectively apply InfoSec management knowledge to enhance the security of networks and associated systems and services" "Maintain working knowledge of applicable legislative and regulatory initiatives."Interpret and translate requirements for implementation." "Develop appropriate InfoSec policies, standards, guidelines, and procedures." "Work with other organization InfoSec personnel, committees, and executive man"agement in the governance process." "Provide meaningful reports for higher management, prepare effective presentations,"and communicate InfoSec objectives."" "Participate in short-term and long-term planning." "Monitor the InfoSec program measurement process and evaluate compliance "effectiveness." "Oversee and conduct InfoSec reviews and liaise with the broader organization. Coordinate and perform reviews of contracts, projects, and proposals. Assist information units with standards compliance." "Oversee the conduct of investigations of InfoSec violations and computer crimes andwork with management and external law enforcement to resolve these issues." "Review instances of noncompliance and work tactfully to correct deficiencies."

"Institutions across the United States are also considering adopting the new National Initiativefor Cybersecurity Education (NICE), promoted by NIST, and currently under considerationfor integration into the CAE program. The NICE framework at http://csrc.nist.gov/nice/framework/ focuses on seven security work domains, some of which are unique to the governmentand intelligence communities:"

"•Securely Provision—Specialty areas responsible for conceptualizing, designing, andbuilding secure information technology (IT) systems; i.e., responsible for some aspectof systems development. • Operate and Maintain—Specialty areas responsible for providing support, administra-tion, and maintenance necessary to ensure effective and efficient IT system performanceand security." "Protect and Defend Specialty areas responsible for identification, analysis, and miti-gation of threats to internal IT systems or networks.•" Investigate: specialty areas responsible for investigation of cyber events and/or crimes of IT systems, networks, and digital evidence. "Collect and Operate—Specialty areas responsible for specialized denial and deceptionoperations and collection of cybersecurity information that may be used to developintelligence." "Analyze—Specialty areas responsible for highly specialized review and evaluation ofincoming cybersecurity information to determine its usefulness for intelligence."" "Oversight and Development"Specialty areas providing leadership, management, direc-""tion, and/or development and advocacy so that individuals and organizations mayeffectively conduct cybersecurity work

"For the phone:"

"•To prevent someone from impersonating an employee when speaking to thehelpdesk, assign all employees a code (such as a PIN) to verify identity, or useemployee numbers. Also train employees—including the help desk staff—neverto give passwords or classified information over the phone. To prevent someone from stealing phone use, track all incoming and outgoingcalls, and don't allow employees to transfer calls outside the organization." C

"For the networks and Internet connection:"

"•To prevent someone from tapping into the network, ensure the networkingcloset is locked and monitored, with a current inventory of equipment kept" "• To prevent someone from installing unauthorized software to capture internaltraffic and passwords, monitor all system and network modifications and ensureall employees are trained on effective password policy and use."

"mandatory vacation policy:

A requirement that all employees take time off from work, whichallows the organization to audit the individual's areas of responsibility."

To heighten InfoSec awareness and change workplace behavior, organizations should incor-porate InfoSec components into employee performance evaluations. Employees pay closeattention to job performance evaluations, and including InfoSec tasks in them will motivateemployees to take more care when performing these tasks.For example, adding assessment areas and evaluation criteria for frequently encounteredsecurity accountabilities might be reflected in review comments like these:

Jane is meticulous in her management of classified documents" Tom continually stresses workstation security to his co-workers Tsu Ling emphatically led her department in the acquisition of new higher-security"mobile devices" "Bob worked tirelessly to safeguard the newly developed intellectual property his teamwas responsible for"

"two-person control:

The organization of a task or process such that it requires at least twoindividuals to work together to complete. Also known as dual control."

Job can-didates, on the other hand, can be offered

employment contingent upon agreement,"whereby they are not offered a position unless they agree to the binding organizationalpolicies. While such a policy may seem harsh, it is a necessary component of the securityprocess. Once a candidate signs the security agreements, the remainder of the employmentcontract may be executed.

As part of their orientation, new employees should receive anextensive InfoSec briefing. This orientation should cover

policies, security procedures, accesslevels, and training on the secure use of information systems. By the time new employees areready to report to their positions, they should be thoroughly briefed on the security component of their particular jobs as well as the rights and responsibilities of all personnelin the organization." Formal external and informal internal seminars alsoincrease the""level of security awareness for all employees, but especially for InfoSecemployees.