Chapter 11 Security and Personnel - Study Material
Friendly Departures
-Friendly departures include resignation, retirement, promotion, or relocation. In such cases, the employee may have tendered notice well in advance of the actual departure date. This scenario actually makes it more difficult for the security team to maintain positive control over the employee's access and information usage. -Another complication associated with friendly departures is that the employees can come and go at will until their departure date, which means they will probably collect their own belongings and leave under their own recognizance. As with hostile departures, employees should be asked to drop off all organizational property on their way out for the final time. ************For either type of departure, hostile or friendly, the offices and information used by the employee must be inventoried, files must be stored or destroyed, and all property must be returned to organizational stores. In either scenario, employees might foresee their departure well in advance and start taking home organizational information such as files, reports, and data from databases, perhaps thinking such items could be valuable in their future employment. This may be impossible to prevent. Only by scrutinizing systems logs after the employee has departed and sorting out authorized actions from systems misuse or information theft can the organization determine if a breach of policy or loss of information has occurred. If information is illegally copied or stolen, the action should be declared an incident and the appropriate policy followed.************* (important)
Staffing the Information Security Function: Chief Security Officer (CSO) Pg. 591
-In some organizations, the CISO's position may be combined with physical security responsibilities or may even report to a security manager who is responsible for both logical (information) security and physical security. Such a position is generally referred to as a CSO. -The CSO must be capable and knowledgeable in both information security requirements and the "guards, gates, and guns" approach to protecting the physical infrastructure, buildings, and grounds of a place of business.
Staffing the Information Security Function: Entry into the Information Security Profession
-Many information security professionals enter the field through one of two career paths. -Some come from law enforcement or the military, where they were involved in national security or cybersecurity. -Others are technical professionals—networking experts, programmers, database administrators, and systems administrators—who find themselves working on information security applications and processes more often than traditional IT assignments. -In recent years, a third, perhaps more traditional career path has developed: college students who select and tailor their degree programs to prepare for work in the field of information security. -IT professionals who move into information security, however, tend to focus on technology, sometimes in place of general information security issues. Organizations can foster greater professionalism in the discipline by expanding beyond the hiring of proven IT professionals and instead filling positions by matching qualified candidates to clearly defined roles in information security.
Privacy and the Security of Personnel Data
-Organizations are required by law to protect employee information that is sensitive or personal. This information includes employee addresses, phone numbers, Social Security numbers, medical conditions, and even names and addresses of family members. -In principle, personnel data is no different from other data that an organization's information security group must protect, but a great deal more regulation covers its protection. As a result, information security groups should ensure that this data receives at least the same level of protection as other important data in the organization, including intellectual property, strategic planning, and other business-critical information.
Staffing the Information Security Function: Security Analyst
-Security analysts, also commonly referred to as security technicians, security architects, or security engineers, are technically qualified employees who are tasked to configure firewalls, deploy IDPSs, implement security software, diagnose and trouble-shoot problems, and coordinate with systems and network administrators to ensure that an organization's security technology is properly implemented. -A security analyst is often an entry-level position -Because overtime and on-call pay are listed, this job is probably an hourly position rather than a salaried one, which is common for security analysts.
Staffing the Information Security Function: Security Manager
-Security managers are accountable for the day-to-day operation of the information security program. They accomplish objectives identified by the CISO and resolve issues identified by technicians. -Note that several positions have titles that contain the word manager or suggest management responsibilities, but only people who are responsible for management functions, such as scheduling, setting relative priorities, or administering budgetary control, should be considered true managers. -A candidate for this position often has a bachelor's degree in technology, business, or a security-related field, as well as a CISSP certification. -Traditionally, managers earn the CISSP or CISM, and technical professionals earn the Global Information Assurance Certification (GIAC). -Security managers must have the ability to draft middle- and lower-level policies as well as standards and guidelines. They must have experience in traditional business matters, such as budgeting, project management, and personnel management. They must also be able to manage technicians, both in the assignment of tasks and in the monitoring of activities. -there are several types of security managers, as the position is much more specialized than that of CISO.
Staffing the Information Security Function
-The (ISC)^2 Global Information Security Work-force Study, which found that 46 percent of all respondents felt their information security analyst positions were understaffed. More importantly, this percentage included two-thirds of all responding C-level executives, those with the greatest influence over hiring and budget decisions. Respondents attributed the shortage to "three factors: business conditions; executives not fully understanding the need; and an inability to locate appropriate information security professionals." -the study predicts an increase in information security personnel; more than 30 percent of respondents indicated that information security spending on personnel will increase.
Staffing the Information Security Function: Chief Information Security Officer (CISO)
-The CISO is typically the top information security officer in the organization. The CISO is usually not an executive-level position, and frequently the person in this role reports to the chief information officer. - Though CISOs are business managers first and technologists second, they must be conversant in all areas of information security, including the technical, planning, and policy areas. In many cases, the CISO is the major definer or architect of the information security program. The CISO performs the following functions: • Manages the overall information security program for the organization • Drafts or approves information security policies • Works with the CIO on strategic plans, develops tactical plans, and works with security managers on operational plans • Develops information security budgets based on available funding • Sets priorities for the purchase and implementation of information security projects and technology • Makes decisions or recommendations for the recruiting, hiring, and firing of security staff • Acts as the spokesperson for the information security team -The most common certification for this type of position is the Certified Information Security Manager (CISM).
Positioning and Staffing the Security Function
-The model commonly used by large organizations places the information security department within the Information Technology department and usually designates a CISO (chief information security officer) or CSO (chief security officer) to lead the function. -The CIO, as the executive in charge of the organization's technology, strives for efficiency in the availability, processing, and accessing of company information. Thus, anything that limits access or slows information processing can impede the CIO's mission. -The CISO's function is more like that of an internal auditor in that the CISO must direct the Information Security department to examine data in transmission and storage to detect suspicious traffic, and examine systems to discover information security faults and flaws in technology, software, and employees' activities and processes. -A good information security program maintains a careful balance between access and security, and works to educate all employees about the need for necessary delays to ensure the protection of critical information. -In general, the data seems to suggest that while many organizations believe the CISO or CSO should function as an independent, executive-level decision maker, information security and IT are currently too closely aligned to separate into two departments. -Information Security Roles and Responsibilities Made Easy by Charles Cresson Wood explains that information security can be placed within any of the following organizational functions: • IT, as a peer of other sub functions such as networks, applications development, and the help desk • Physical security, as a peer of physical security or protective services • Administrative services, as a peer of human resources or purchasing • Insurance and risk management • The legal department -Organizations should find a rational compromise by placing information security where it can best balance its duty to monitor compliance with its ability to provide the education, training, awareness, and customer service needed to make information security an integral part of the organization's culture. -Also, the need to have the top security officer report directly to the executive management group instead of just the CIO becomes critical, especially if the security department is positioned in the IT function.
Staffing the Information Security Function: Information Security Positions
-The use of standard job descriptions can increase the degree of professionalism in the information security field and improve the consistency of roles and responsibilities among organizations. -Charles Cresson Wood's book, Information Security Roles and Responsibilities Made Easy, which offers a set of model job descriptions for information security positions. The book also identifies the responsibilities and duties of IT staff members whose work involves information security. -A study of information security positions by Schwartz, Erwin, Weafer, and Briney found that the positions can be classified into one of three areas: those that DEFINE information security programs, those that BUILD the systems and create the programs to implement information security controls, and those that ADMINISTER information security control systems and programs that have been created. -The definers are managers who provide policy and planning and manage risk assessments. They are typically senior information security managers—they have extensive and broad knowledge, but not a lot of technical depth. -The builders are techies who create security technical solutions to protect software, systems, and networks. -The administrators apply the techies' tools in accordance with the decisions and guidance of the definers; they provide day-to-day systems monitoring and use to support an organization's goals and objectives. -By clearly identifying which type of role it is seeking and then classifying all applicants into these three types and matching them, the organization can recruit more effectively.
EC-Council Certifications
Another competitor in certifications for security management, EC-Council (www.eccouncil.org), now offers a Certified CISO (C|CISO) certification, which is designed to be a unique recognition for those at the peak of their professional careers. The C|CISO tests not only security domain knowledge, but knowledge of executive business management. The C|CISO includes the following domains: • Domain 1: Governance (Policy, Legal, and Compliance): This domain focuses on the external regulatory and legal issues a CISO faces, as well as the strategic information security governance programs promoted in forward-thinking organizations. It also contains areas related to security compliance to ensure that the organization conforms to applicable laws and regulations. Finally, it includes areas of information security standards, such as Federal Information Processing Standards and ISO 27000, and it incorporates areas in risk management. • Domain 2: IS Management Controls and Auditing Management (Projects, Technology, and Operations): This domain includes knowledge areas associated with information systems controls and auditing, similar to those found in ISACA certifications. These areas include developing, implementing, and monitoring IS controls as well as reporting the findings to executive management. Auditing areas include planning, conducting, and evaluating audits in the organization. • Domain 3: Management—Projects and Operations (Projects, Technology and Operations): This domain contains basic managerial roles and responsibilities any security manager would be expected to have mastered. It includes the fundamentals of management covered in earlier chapters, including planning, organizing, staffing, directing, and controlling security resources. • Domain 4: Information Security Core Competencies: This domain covers the common body of information security knowledge that any CISO would be expected to possess. The domain includes subdomains in the following areas: • Access control • Social engineering, phishing attacks, identity theft • Physical security • Risk management • Disaster recovery and business continuity planning • Firewalls, intrusion detection systems, intrusion prevention systems, and network defense systems • Wireless security• Viruses, Trojans, and malware threats • Secure coding best practices and securing Web applications • Hardening operating systems • Encryption technologies • Vulnerability assessment and penetration testing • Computer forensics and incident response • Domain 5: Strategic Planning and Finance: This domain addresses CISO tasks associated with conducting strategic planning and financial management of the security department. The domain includes performance measures, IT investments, internal and external analyses, and developing and implementing enterprise security architectures. EC-Council also offers a number of certifications that focus on the technical side of security: • Certified network defender • Certified ethical hacker • Security analyst • Forensic investigator • Network defense architect • Encryption specialist • Advanced penetration testing • Licensed penetration tester • Advanced security Windows infrastructure • Advanced mobile hacking & forensics • Advanced hacking hardening corporate Web apps • Advanced network defense • Secure computer user • Incident handler • Secure programmer—Java • Secure programmer—.NET • Security specialist • Disaster recovery professional
Credentials for Information Security Professionals: (ISC)^2 Certifications (CCFP, HCISPP, CCSP, Associate of (ISC)^2)
CCFP: The Certified Cyber Forensics Professional is one of the newest certifications from (ISC)^2. It encompasses six domains: • Legal and ethical principles • Investigations • Forensic science• Digital forensics • Application forensics • Hybrid and emerging technologies -Candidates must have a bachelor's degree plus three years of forensics or security experience in three of the six domains. HCISPP: Another new and relevant certification for information security professionals working in the healthcare field is the HealthCare Information Security and Privacy Practitioner (HCISPP). -Similar to the CISSP but focused on security management topics and healthcare, this certification requires the candidate to demonstrate knowledge in six specialty domains on its 125-question multiple-choice exam: • Healthcare industry • Regulatory environment • Privacy and security in healthcare • Information governance and risk management • Information risk assessment • Third-party risk management -Candidates must have two or more years of experience in at least one of these domains and at least one year of experience in the top three domains (Healthcare industry, regulatory environment, or privacy and security in healthcare). The other year can be in any of the other domains and does not have to be experience in the healthcare field. CCSP: Completing the list of new (ISC)^2 certifications is the Certified Cloud Security Professional. This certification, co-sponsored by the Cloud Security Alliance, is aimed at professionals who are primarily responsible for specifying, acquiring, securing, and managing cloud-based services for their organization. -The CCSP covers six domains on its 125-question multiple-choice exam: • Architectural concepts and design requirements • Cloud data security • Cloud platform and infrastructure security • Cloud application security • Operations• Legal and compliance Associate of (ISC)^2: (ISC)^2 has an innovative approach to the experience requirement in its certification program. Its Associate of (ISC)^2 program is geared toward people who want to take the CISSP or SSCP exam before obtaining the requisite experience for certification. -Candidates who pass any of the described (ISC)^2 exams and agree to subscribe to the (ISC)^2 Code of Ethics as well as maintain Continuing Professional Education (CPE) credits and pay the appropriate fees can maintain their status as an Associate until they have logged the required years of experience.
ISACA Certifications: CGEIT and CRISC
CGEIT: Also available from ISACA is the Certified in the Governance of Enterprise IT (CGEIT) certification. The exam is targeted at upper-level executives, including CISOs and CIOs, directors, and consultants with knowledge and experience in IT governance. The exam covers the following areas, as described in the ISACA 2016 Exam Candidate Information Guide: 1) Framework for the Governance of Enterprise IT (25 percent): Ensure the definition, establishment, and management of a framework for the governance of enterprise IT in alignment with the mission, vision, and values of the enterprise. 2) Strategic Management (20 percent): Ensure that IT enables and supports the achievement of enterprise objectives through the integration and alignment of IT strategic plans with enterprise strategic plans. 3) Benefits Realization (16 percent): Ensure that IT-enabled investments are managed to deliver optimized business benefits and that benefit realization outcome and performance measures are established, evaluated and progress is reported to key stakeholders. 4) Risk Optimization (24 percent): Ensure that an IT risk management framework exists to identify, analyze, mitigate, manage, monitor, and communicate IT-related business risk, and that the framework for IT risk management is in alignment with the enterprise risk management (ERM) framework. 5) Resource Optimization (15 percent): Ensure the optimization of IT resources, including information, services, infrastructure and applications, and people, to support the achievement of enterprise objectives. -Candidates must have at least one year of experience in IT governance and additional experience in at least two of the domains listed. CRISC: The newest ISACA certification is the Certified in Risk and Information Systems Control (CRISC). The certification is targeted at managers and employees with knowledge and experience in risk management. The exam covers the following areas, as described in the ISACA 2016 Exam Candidate Information Guide: 1) IT Risk Identification (27 percent): Understand the identification of risk in the organization's environment, in support of its risk management strategy and business objectives. 2. IT Risk Assessment (28 percent): Analyze and assess likelihood and impact of risk on the organization's operations and objectives. 3. Risk Response and Mitigation (23 percent): Specify the organization's risk response and mitigation strategies. 4. Risk and Control Monitoring and Reporting (22 percent): Conduct ongoing monitoring and provide reporting of overall risk management activities in support of the organization's risk management strategies and business objectives. -The certification requires the candidate to have a minimum of three years' experience in risk management and information systems control in at least two of the stated domains, and at least one year of that experience must be in one of the first two domains, although the candidate may elect to take the exam before fulfilling the experience requirement.
CompTIA Certifications
CompTIA (www.comptia.com)—the organization that offered the first vendor-neutral professional IT certifications, the A+ series—now offers a program called the Security+ certification. -The CompTIA Security+ certification tests for entry-level security knowledge. Candidates must have two years of on-the-job networking experience. The exam covers industry-wide topics, including communication security, infrastructure security, cryptography, access control, authentication, external attack, and operational and organization security. -curricula are taught at colleges, universities, and commercial training centers around the globe.
Employment Policies and Practices Pt. 2
Employment Contracts: -Once a candidate has accepted a job offer, the employment contract becomes an important security instrument. -Many of the policies discussed in Chapter 4—specifically, the fair and responsible use policies—require an employee to agree in writing to monitoring and non disclosure agreements. -If existing employees refuse to sign these agreements, security personnel are placed in a difficult situation. They may not be able to force employees to sign or to deny employees access to the systems necessary to perform their duties. With new employees, however, security personnel are in a different situation because the procedural step of policy acknowledgment can be made a requirement of employment. -Policies that govern employee behavior and are applied to all employees may be classified as "employment contingent upon agreement." This classification means the potential employee must agree in a written affidavit to conform with binding organizational policies before being hired. New Hire Orientation: When new employees are introduced into the organization's culture and workflow, they should receive an extensive information security briefing as part of their employee orientation. All major policies should be explained, along with procedures for performing necessary security operations and the new position's other information security requirements. In addition, the levels of authorized access should be outlined for new employees, and training should be provided regarding the secure use of information systems. By the time new employees are ready to report to their positions, they should be thoroughly briefed on the security components of their particular jobs and on the rights and responsibilities of all personnel in the organization. On-the-Job Security Training: -The organization should integrate the security awareness education described in Chapter 4 into a new hire's job orientation and make it a part of every employee's on-the-job security training. -Keeping security at the forefront of employees' minds helps minimize their mistakes and is therefore an important part of the information security team's mission. Formal external and informal internal seminars should also be used to increase the security awareness of employees, especially that of security employees -The maintenance of information security also depends heavily on the consistent vigilance of people. Evaluating Performance: -To heighten information security awareness and minimize risky workplace behavior, organizations should incorporate information security into employee performance evaluations. -In general, employees pay close attention to job performance evaluations and are more likely to take information security seriously if violations are documented in them. Termination: When an employee leaves an organization, several security issues arise. Key among these is the continuity of protection of all information to which the employee had access. Therefore, when an employee prepares to leave an organization, the following tasks must be performed: • Access to the organization's systems must be disabled. • Removable media must be returned. • Hard drives must be secured. • File cabinet locks must be changed. • Office door locks must be changed. • Keycard access must be revoked • Personal effects must be removed from the organization's premises. -Many organizations use an EXIT INTERVIEW to remind the employee of contractual obligations, such as nondisclosure agreements, and to obtain feedback about the employee's tenure in the organization. At this time, the employee should be reminded that failure to comply with contractual obligations could lead to civil or criminal action. -An organization should have security-minded termination procedures that are followed consistently. In other words, the procedures should be followed regardless of the level of trust the organization had for the employee. However, a universally consistent approach is difficult and sometimes awkward to implement, which is why it's not often applied.
Staffing the Information Security Function: Qualifications and Requirements
Establishing better hiring practices in an organization requires the following: • The general management community of interest should learn more about the skills and qualifications for information security positions and IT positions that affect information security. • Upper management should learn more about the budgetary needs of information security and its positions. This knowledge will enable management to make sound fiscal decisions for information security and the IT functions that carry out many information security initiatives. • The IT and general management communities should grant appropriate levels of influence and prestige to information security, especially to the role of CISO. -In many fields, the more specialized professionals are more marketable. In information security, however, overspecialization can be risky. It is important, therefore, to balance technical skills with general knowledge about information security. When hiring information security professionals, organizations frequently look for candidates who understand the following: • How an organization operates at all levels • That information security is usually a management problem and is seldom an exclusively technical problem • How to work with people and collaborate with end users, and the importance of strong communications and writing skills • The role of policy in guiding security efforts, and the role of education and training in making employees and other authorized users part of the solution rather than part of the problem • Most mainstream IT technologies at a general level, not necessarily as an expert • The terminology of IT and information security • The threats facing an organization and how they can become attacks • How to protect an organization's assets from information security attacks • How business solutions, including technology-based solutions, can be applied to solve specific information security problems
Hostile Departures
Hostile departures include termination for cause, permanent downsizing, temporary layoffs, and quitting in some instances. While the employee may not seem overly hostile, the unexpected termination of employment can prompt the person to lash out against the organization. No organizational property can be taken from the premises, including pens, papers, and books, as well as portable digital media like CDs, DVDs, and memory devices. Regardless of the claim If the employee has property he strongly wants to retain, he should be informed that he can submit a written list of the items and the reasons he should be allowed to retain them. After the employee's personal property has been gathered, he should be asked to surrender all company property, such as keys, keycards, other organizational identification, physical access devices, PDAs, pagers, cellphones, and portable computers. The employee should then be escorted out of the building.
ISACA Certifications: CISM and CISA
ISACA (www.isaca.org) also offers several reputable security certifications, including the Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA),and the Certified in the Governance of Enterprise IT (CGEIT). CISM: The CISM credential is geared toward experienced information security managers and others who may have similar management responsibilities. -The CISM can assure executive management that a candidate has the required background knowledge needed for effective security management and consulting. -This exam is offered annually. The CISM examination covers the following practice domains described in the ISACA 2016 Exam Candidate Information Guide: 1) Information Security Governance (24 percent): Establish and maintain an information security governance framework and supporting processes to ensure that the information security strategy is aligned with organizational goals and objectives, information risk is managed appropriately and program resources are managed responsibly. 2) Information Risk Management and Compliance (33 percent): Manage information risk to an acceptable level to meet the business and compliance requirements of the organization. 3) Information Security Program Development and Management (25 percent): Establish and manage the information security program in alignment with the information security strategy. 4) Information Security Incident Management (18 percent): Plan, establish, and manage the capability to detect, investigate, respond to, and recover from information security incidents to minimize business impact. -To be certified, the applicant must: • Pass the examination. • Adhere to a code of ethics promulgated by ISACA. • Pursue continuing education as specified. • Document five years of information security work experience with at least three years in information security management in three of the four defined areas of practice. CISA: The CISA credential is not specifically a security certification, but it does include many information security components. ISACA touts the certification as being appropriate for auditing, networking, and security professionals. -CISA requirements are as follows: • Successful completion of the CISA examination • Experience as an information security auditor, with a minimum of five years' professional experience in information systems auditing, control, or security • Agreement to the Code of Professional Ethics • Payment of maintenance fees, a minimum of 20 contact hours of continuing education annually, and a minimum of 120 contact hours during a fixed three-year period • Adherence to the Information Systems Auditing Standards The exam covers the following areas of information systems auditing, as described in the ISACA 2016 Exam Candidate Information Guide: 1) The Process of Auditing Information Systems (21 percent): Provide audit services in accordance with IT audit standards to assist the organization with protecting and con-trolling information systems. 2) Governance and Management of IT (16 percent): Provide assurance that the necessary leadership and organizational structures and processes are in place to achieve objectives and to support the organization's strategy. 3) Information Systems Acquisition, Development and Implementation (18 percent): Provide assurance that the practices for the acquisition, development, testing, and implementation of information systems meet the organization's strategies and objectives. 4) Information Systems Operations, Maintenance and Support (20 percent): Provide assurance that the processes for information systems operations, maintenance and support meet the organization's strategies and objectives. 5) Protection of Information Assets (25 percent): Provide assurance that the organization's security policies, standards, procedures and controls ensure the confidentiality, integrity, and availability of information assets. -The CISA exam is offered only a few times each year
SANS Certifications
In 1999, the SANS Institute, formerly known as the System Administration, Networking, and Security Institute (www.sans.org), developed a series of technical cybersecurity certifications known as the Global Information Assurance Certification (GIAC; www.giac.org -GIAC certifications not only test for knowledge, they require candidates to demonstrate application of that knowledge. With the introduction of the GIAC Information Security Professional (GISP),the GIAC Security Leadership Certification (GSLC), and several new managerial certifications, SANS now offers more than just technical certifications. The GIAC family of certifications covers 20 certifications in seven general areas: security administration, management, forensics, software security, audit, legal, and the capstone certification, the GIAC Security Expert (GSE). -Unlike other certifications, some GIAC certifications require applicants to complete a written practical assignment that tests their ability to apply skills and knowledge. These assignments are submitted to the SANS Information Security Reading Room for review by security practitioners, potential certificate applicants, and others with an interest in information security. Only when the practical assignment is complete is the candidate allowed to take the online exam. -Most GIAC certifications are offered in conjunction with SANS training.
Certification Costs
Individual certification exams can cost as much as $750, and certifications that require multiple exams can cost thousands of dollars. In addition, the cost of formal training to prepare for the exams can be significant. -Some certification exams, such as the CISSP, are very broad; others, such as components of the GIAC, are very technical. Given the nature of the knowledge needed to pass the examinations, most experienced professionals find the tests difficult without at least some review. -Certifications are designed to recognize experts in their respective fields, but the cost of certification deters those who might take the exam just to see if they can pass. Most examinations require between two and three years of work experience, and they are often structured to reward candidates who have significant hands-on experience.
Employment Policies and Practices
Job Descriptions: The process of integrating information security into the hiring process begins with reviewing and updating all job descriptions. To prevent people from applying for positions based solely on access to sensitive information, the organization should avoid revealing access privileges to prospective employees when it advertises open positions. Interviews: For organizations that include onsite visits as part of their initial or follow-up interviews, it is important to exercise caution when showing a candidate around the facility. Avoid tours through secure and restricted sites. Candidates who receive tours may be able to retain enough information about operations or information security functions to become a threat. Background Checks: A background check should be conducted before an organization extends an offer to a job candidate. -Several government regulations specify what the organization can investigate and how much of the information uncovered can be allowed to influence the hiring decision. The security manager and HR manager should discuss these matters with legal counsel to determine what state, federal, and perhaps international regulations affect the hiring process. The following list summarizes various types of back-ground checks and the information checked for each: • Identity checks: Validation of identity and Social Security number • Education and credential checks: Validation of institutions attended, degrees and certifications earned, and certification status • Previous employment verification: Validation of where candidates worked, why they left, what they did, and for how long • Reference checks: Validation of references and integrity of reference sources • Social media review: Companies may review your social media activity for evidence of inappropriate or unprofessional actions. • Worker's compensation history: Investigation of claims from worker's compensation • Motor vehicle records: Investigation of driving records, suspensions, and DUIs • Drug history: Screening for drugs and drug usage, past and present • Credit history: Investigation of credit problems, financial problems, and bankruptcy • Civil court history: Investigation of the candidate's involvement as a plaintiff or defendant in civil suits • Criminal court history: Investigation of criminal background, arrests, convictions, and time served As mentioned, there are federal regulations for the use of personal information in employment practices, including the Fair Credit Reporting Act (FCRA), which governs the activities of consumer credit reporting agencies and the uses of information procured from them.36These credit reports generally contain information about a job candidate's credit history, employment history, and other personal data. -the FCRA prohibits employers from obtaining these reports unless the candidate is informed in writing that such a report will be requested as part of the employment process. The FCRA also allows the candidate to request information about the nature and type of reporting used in making the employment decision and subsequently enables the candidate to learn the content of these reports. -The FCRA also restricts the periods of time these reports can address. If the candidate earns less than $75,000 per year, the report can contain only seven years of negative credit information. If the candidate earns $75,000 or more per year, there is no time limitation.
Internal Control Strategies
Separation of Duties -Among internal control strategies, SEPARATION OF DUTIES is a cornerstone in the protection of information assets and the prevention of financial loss. Separation of duties is used to reduce the chance that an employee will violate information security and breach the confidentiality, integrity, or availability of information. The control stipulates that the completion of a significant task involving sensitive information requires at least two people. -The idea behind this separation is that if only one person has authorization to access a particular set of information, there may be nothing the organization can do to prevent the person from copying the information and removing it from the premises. Separation of duties is especially important, and thus commonly implemented, when financial information must be protected. The same level of control should be applied to critical data. Two-Person Control: A similar concept is known as two-person control, in which two employees review and approve each other's work. This concept is distinct from separation of duties, in which the two people work in sequence. In two-person control, each person completely finishes the necessary work and then submits it to the other coworker. Each coworker then examines the work performed, double-checking to make sure no errors or inconsistencies exist. Job Rotation (aka Task Rotation): Another control used to prevent personnel from misusing information assets is job rotation(or task rotation). If one employee cannot feasibly learn the entire job of another, the organization should at least try to ensure that multiple employees on staff can perform each critical task. -Such job or task rotations can greatly increase the chance that an employee's misuse of the system or abuse of information will be detected by another. Mandatory Vacations: -Why shoulda company require its employees to take vacations? A mandatory vacation of at least one week gives the organization the ability to audit the work of an employee. People who are stealing from the organization or otherwise misusing information or systems are generally reluctant to take vacations, for fear that their actions will be detected. -The mandatory vacation policy is effective because it makes employees consider that they might be caught if they abuse the system. Garden Leave: -A related concept, garden leave, is used by some companies to restrict the flow of proprietary information when an employee leaves to join a competitor. When this procedure is invoked, an employee is paid salary and benefits for a period of time, often 15 or 30 days; is not allowed access to the former place of employment; and is not allowed to report to the new employer. -The intent is to have employees lose the immediate value of any current knowledge about tactical intelligence at the former firm and ensure that the employee's recollections of specific details fade. -The term garden leave comes from the fact that the employee can do little more than stay home and tend a garden for awhile. -In some organizations, employees are required to sign a covenant not to compete( CNC) or non-compete clause (NCC), which prevents them from working for a direct competitor within a specified time frame—usually a few months to several years. This clause is designed to minimize the loss of intellectual property when employees change jobs Need to know/Least privilege: -One final control measure is that employees should have access to the minimum amount of information necessary for them to perform their duties, and only as long as needed. In other words, there is no need for everyone in the organization to have access to all information. This principle is called need to know. -A similar concept is least privilege, in which employees are restricted in their access and use of information based on their need to know.
Credentials for Information Security Professionals: (ISC)^2 Certifications (SSCP, CSSLP)
SSCP: The SSCP also has lower professional experience requirements than the CISSP. The SSCP focuses on practices, roles, and responsibilities as defined by experts from major information security industries. -Like the CISSP, the SSCP certification is more applicable to the security manager than to the technician, as the bulk of its questions focus on the operational nature of information security. -The SSCP exam consists of 125 multiple-choice questions and must be completed within three hours. It covers seven domains: • Access controls • Security operations and administration • Risk identification, monitoring, and analysis • Incident response and recovery • Cryptography • Network and communications security • Systems and application security -Many consider the SSCP to be a scaled-down version of the CISSP. The seven domains are not a subset of the CISSP domains; they contain slightly more technical content. CSSLP: The Certified Secure Software Lifecycle Professional (CSSLP) is another (ISC)^2 certification focused on the development of secure applications. To qualify for the CSSLP, you must have at least four years of recent experience in one or more of the following eight domains: • Secure software concepts: Security implications in software development • Secure software requirements: Capturing security requirements in the requirements-gathering phase • Secure software design: Translating security requirements into application design elements • Secure software implementation/coding: Unit testing for security functionality and resiliency to attack, and developing secure code and exploit mitigation • Secure software testing: Integrated QA testing for security functionality and resiliency to attack • Software acceptance: Security implications in the software acceptance phase • Software deployment, operations, maintenance, and disposal: Security issues for steady-state operations and management of software • Supply chain and software acquisition: Establishing relationships with suppliers and interacting with them on security-related issues such as service-level agreements and vulnerability management throughout the software development life cycle You must compose an essay in each of your four areas of expertise and submit it as your exam. This test is radically different from the multiple-choice exams (ISC)^2 normally administers. Once your experience has been verified and you successfully complete the essay exam, you can be certified.
Security Considerations for Temporary Employees, Consultants, and Other Workers
Temporary employees, contract employees, and other types of workers are not subject to rigorous screening, contractual obligations, and eventual secured termination, but they often have access to sensitive organizational information. Temporary Employees: -Some employees are hired by the organization to serve in a temporary position or to supplement the existing workforce. These employees do not work for the organization where they perform their duties, but instead are usually paid employees of a temp agency or organization that provides qualified workers at the paid request of another company -Temps typically provide secretarial or administrative support, and thus may be exposed to a wide range of information -If temps violate a policy or cause a problem, the strongest action the host organization can take is to terminate the relation-ships and request that the temps be censured. The employing agency is under no contractual obligation to comply, although it may censure the employee to appease an important client. -From a security standpoint, temporary employees' access to information should be limited to that necessary for them to perform their duties. -The organization can attempt to have temporary employees sign nondisclosure agreements and fair use policies, but the temp agency may refuse, forcing the host organization to choose among finding a new temp agency, going without the assistance of the temp worker, or allowing the temp to work without the agreement. Contract Employees: -Contract employees are typically hired to perform specific services for the organization. In such cases, the host company often makes a contract with a parent organization rather than with an individual employee for a particular task. Typical contract employees include groundskeepers, maintenance workers, electrical contractors, mechanical service contractors, and other service and repair workers. -Although some contract workers may require access to virtually all areas of the organization to do their jobs, they seldom need access to information or information resources, except when the organization has leased computing equipment or contracted with a disaster recovery service. Although some contract workers may require access to virtually all areas of the organization to do their jobs, they seldom need access to information or information resources, except when the organization has leased computing equipment or contracted with a disaster recovery service. -For the organization to maintain a secure facility, all contract employees should be escorted from room to room, as well as into and out of the facility. When contract employees report for maintenance or repair services, security personnel should first verify that these services are actually scheduled or approved. Direct supervision of contract employees is a necessity. -The following regulations should be negotiated well in advance: The facility requires 24 to 48 hours' notice of a maintenance visit; the facility requires all onsite personnel to undergo background checks; and the facility requires advance notice for cancellation or rescheduling of a maintenance visit. Consultants: -Sometimes, onsite contracted workers are self-employed or are employees of an organization hired for a specific, one-time purpose. These workers are typically referred to as consultants, and they have their own security requirements and contractual obligations. -Consultants typically request permission to present work samples to other companies as part of their résumés, but a client organization is not obligated to grant this permission and can even explicitly deny permission in writing. Organizations should also remember that just because they are paying an information security consultant, the protection of their information doesn't become the consultant's top priority. Business Partners: -On occasion, businesses create strategic alliances with other organizations that want to exchange information, integrate systems, or simply discuss operations for mutual advantage. -In these situations, a prior business agreement is needed to specify the level of exposure both organizations are willing to tolerate. Sometimes, one division of a company enters a strategic partnership with an organization that directly competes with another of the company's own divisions. -divisions. If the strategic partnership evolves into an integration of both companies' systems, competing groups might exchange information that neither parent organization expected to share. As a result, both organizations must make a meticulous, deliberate determination of what information is to be exchanged, in what format, and with whom. Nondisclosure agreements must be in place
Credentials for Information Security Professionals: (ISC)^2 Certifications (CISSP)
The International Information Systems Security Certification Consortium, known as ðISCÞ2,offers security certifications such as the Certified Information Systems Security Professional(CISSP), the Systems Security Certified Practitioner (SSCP), and the Certified Secure Software Lifecycle Professional (CSSLP). CISSP: The CISSP certification is considered the most prestigious for security managers and CISOs. It recognizes mastery of an internationally identified Common Body of Knowledge (CBK) in information security. -To sit for the CISSP exam, the candidate must have at least five years of direct, full-time experience as a security professional working in at least two of the eight domains of information security knowledge, or four years of direct security work experience in two or more domains. The candidate must also have a four-year college degree. The CISSP exam consists of 250 multiple-choice questions and must be completed within six hours. It tests candidates on their knowledge of the following eight domains: • Security and risk management • Asset security • Security engineering • Communications and network security • Identity and access management • Security assessment and testing • Security operations • Software development security -CISSP certification requires successful completion of the exam and an endorsement. Once candidates successfully complete the exam, they have nine months to submit an endorsement by an actively credentialed CISSP or by their employer as validation of their professional experience. -the CISSP holder must earn 120 hours of continuing professional education (CPE) every three years, with a minimum of 20 hours per year. CISSP Concentrations: -ISSAP®: Information Systems Security Architecture Professional • Access control systems and methodology • Communications and network security • Cryptography • Security architecture analysis • Technology-related business continuity planning and disaster recovery planning • Physical security considerations ISSEP: Information Systems Security Engineering Professional • Systems security engineering • Certification and accreditation/risk management framework • Technical management • U.S. government information assurance-related policies and issuances -ISSMP: Information Systems Security Management Professional • Enterprise security management practices • Business continuity planning and disaster recovery planning • Security management practices • System development security • Law, investigations, forensics, and ethics • Security compliance management
ISFCE Certifications
The International Society of Forensic Computer Examiners (ISFCE) offers two levels of certification. Certified Computer Examiner (CCE): Certified Computer Examiner (CCE)®is a computer forensics certification provided by the ISFCE (www.isfce.com). To complete the CCE certification process, the applicant must: • Have no criminal record • Meet minimum experience, training, or self-training requirements • Abide by the certification's code of ethical standards • Pass an online examination • Successfully perform actual forensic examinations on three test media The CCE certification process covers the following areas: • Ethics in practice • Key legislation in, and its impact on, digital forensics • Software licensing and validation • General computer hardware used in data collection • Networking and its involvement in forensics and data collection • Common computer operating system and file systems organization and architecture • Forensics data seizure procedures• Casework and other forensics examination procedures• Common computer media, as used as evidence, in physical and logical storage media operations, and procedures for sterilization and use • Use of forensic boot disks• Forensic examination skills and procedures
Advice for Information Security Professionals
• Always remember: business before technology. Technology solutions are tools for solving business problems. Information security professionals are sometimes guilty of looking for ways to apply the newest technology to problems that do not require technology-based solutions. • When evaluating a problem, look at the source of the problem first, determine what factors affect the problem, and see where organizational policy can lead you in designing a solution that is independent of technology. Then use technology to deploy the controls necessary for implementing the solution. Technology can provide elegant solutions to some problems, but it only exacerbates others. • Your job is to protect the organization's information and information systems resources. Never lose sight of the goal: protecting the organization's information assets from losses. Some people get so wrapped up in the technology or implementation details that they lose track of the primary mission. • Be heard and not seen. Information security should be transparent to users. With minor exceptions, the actions taken to protect information should not interfere with users' actions. Information security supports the work of end users, not the other way around. The only routine communications from the security team to users should be periodic awareness messages, training announcements, newsletters, and e-mails. • Know more than you say, and be more skillful than you let on. Don't try to impress users, managers, and other nontechnical people with your level of knowledge and experience. One day you just might run into a Jedi master of information security who puts you in your place. • Speak to users, not at them. Use their language, not yours. Users aren't impressed with technobabble and jargon. They may not comprehend all the TLAs (three-letter acronyms), technical components, software, and hardware necessary to protect their systems, but they do know how to short-circuit your next budget request or pick out the flaws in your business report. • Your education is never complete. As sensitive as you are to the fact that information technology is ever evolving, you must be equally sensitive to the fact that information security education is never complete.