Chapter 11 Security and Personnel
Exit Interview
A meeting with an employee who is leaving the organization to remind the employee of contractual obligations, such as nondisclosure agreements, and to obtain feedback about the employee's tenure.
Security Analyst
Are technically qualified employees who are tasked to configure firewalls, deploy IDPSs, implement security software, diagnose and troubleshoot problems, and coordinate with systems and network administrators to ensure that an organizations security technology is properly implemented.
CISSP (Certified Information Systems Security Professional)
Considered the most prestigious for security managers and CISOs. It recognizes the mastery of an internationally identified Common Body of Knowledge (CBK) in information security.
Chief Security Officer (CSO)
In some organizations, the CISO's position may be combined with physical security responsibilities or may even report to a security manager who is responsible for both logical security and physical security.
Least Privilege
The data access principle that ensures no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation needed. Least privilege implies a need to know.
Separation of Duties
The information security principle that requires significant tasks to be split up so that more than one individual is required to complete them.
Two-Person Control
The organization of a task or process so that at least two individuals must work together to complete it. Also known as dual control.
Need To Know
The principle of limiting users' access privileges to only the specific information required to perform their assigned tasks.
Task Rotation
The requirement that all critical tasks can be performed by multiple individuals.
Job Rotation
The requirement that every employee be able to perform the work of another employee.
Chief Information Security Officer (CISO)
The top information security officer in the organization.
Security Manager
This position is accountable for the day-to-day operation of the information security program.