PoIS Chapter 11 (Discussion)
What functions does the security analyst perform?
Also referred to as security technicians, security analysts are the technically literate employees who are tasked with deploying firewalls, IDPS's, implement security software, and troubleshoot problems. This position is often an entry-level one, but it requires a lot of technical skill and knowledge to be filled. Security analysts tend to specialize in a particular kind of software deployment, so one might deploy a firewall and another might deploy an IDPS. Familiarity with the specified type of technology may be enough to secure an interview, but employers tend to favor actual experience with the particular piece of technology.
Who should pay for the expenses of certification? Why?
People who are pursuing the certification And or the Organization is mandating the employee is already working in the Management and the certification is required to continue their occupation.
What functions does the security manager perform?
The security manager manages the overall security operations of a company. They create policies to create a safe workplace for employees and strive to maintain an overall safe environment.
Prioritize the list of general attributes that organizations seek when hiring information security professionals.
5. Prioritize the list of general attributes that organizations seek when hiring information security professionals. 1. Always remember business over technology. 6. Speak to users, not at them. 7. Your education is never complete. 3. Your job is to protect the organization's information, never lose sight of the goal. 2. Look at the source of the problem first and determine the factors involved. 4. Be heard not seen.
For each major information security job title covered in the chapter, list and describethe key qualifications and requirements for the position.
CISO - Qualification, 4 year degree, communication, interpersonal, management skills. Reqs:Manages the overall infosec program, Drafts/approves infoSec policies ,Works w/ CIO on strategic, develops tacticalDevelops infosec budgets, Sets priorities for purchase/impl of infosec projects/tech, Makes decisions/recommendations for recruiting/hiring/firing Security Manager or Security Analyst - Qualifications - Bachelor's in tech, bus, or sec-related, CISSP certification, budgeting, project management, and hiring and firing, manage technicians Reqs:Accomplish CISO objs and resolve technician issues, General understaning of tech, Ability to draft middle and lower level policies, standards and guidelines, Experience in trad, Manage technicians
What are critical considerations when dismissing an employee? Do they change according to whether the departure is friendly or hostile, or according to which position the employee is leaving?
Critical considerations include systems access, any removable media, hard drives, files, all locks, logical and keycard access, etc. when it comes to termination of an employee. There are slight changes based on the type of termination, whether it is friendly or hostile, as a friendly departure is usually planned in advance. Hostile terminations need to restrict access to all points immediately or as soon as possible once the decision is reached. Good security practices would say to treat every termination as a hostile departure in case anything may have gone awry in the employee's psyche. The more access the employee has, the more important the termination process becomes, and the more important legal documents like Non-Disclosure Agreements come into play.
What factors influence an organization's decisions to hire information security professionals?
Information Security Professionals are in high demand as businesses seek top candidates to protect their organization's confidential data. According to the Bureau of Labor Statistics, the projected job growth of these positions is expected to increase by 32 percent until 2028. When considering appropriate candidates, organizations will mainly focus on the technical ability and knowledge needed to fill the position during the screening process. Candidates that possess and maintain relevant certifications like CISSP and SSCP, will often times stand out more to employers. While certifications may not guarantee a position with every company, the ability to adapt to change within the rapidly changing field of information security and how passionate the candidate is about their work will also be considered during the screening process.
Why is it important to use specific and clearly defined job descriptions for hiring information security professionals?
It is important to use specific and clearly defined job descriptions for hiring information security professionals because the descriptions can be used to increase the degree of professionalism in the IT field as well as improve the consistency of roles and responsibilities. The description will tell the potential employee exactly what the employer wants.
Why shouldn't an organization give a job candidate a tour of secure areas during an interview?
Job candidates are not employees, they are potential personnel that might become employees therefore they should not be prevee to the inner workings, or procedures within the company. During an interview this is not a best practice, and should be avoided, because human eyes pick up more then they remember ( and may be able to retain enough information about the operations of the company) they can potentially gain knowledge about information security functions that they shouldn't have. They could lead to potential spying within the company to gain organizational trade secrets. Followup interviews, mean that the individual has a high chance of being added as a resource within the company, but during any portion of the interview caution should be advised with involving tours. Secure and restricted sites should be avoided at all times. less
What is job rotation, and what benefits does it offer an organization?
Job rotation (also known as task rotation) is an internal control strategy which seeks both to reduce the misuse and abuse of company resources as well as to mitigate economic vulnerability by requiring all (or most) employees to familiarize themselves with each other's regular, individual duties well enough that they can detect any suspicious abnormalities in another employee's work and perform his duties in his absence. In short, it's a human redundancy control. less
What functions does the CISO perform?
Manages the overall information security program for the organization Drafts or approves information security policies Works with the CIO on strategic plans, develops tactical plans, and works with security managers on operational policies Develops information security budgets based on available funding Sets priorities for the purchase and implementation of information security projects and technology Makes decisions or recommendations for the recruiting, hiring and firing of security staff Acts as the spokesperson for the information security team. less
What member of an organization should decide where the information security function belongs within the organizational structure? Why?
No one single person should decide on where the information security belongs within the organization. Within different departments there should be someone making decisions on where the information security function belongs depending on the need of that department's goals and resources.
List and describe the typical relationships that organizations have with temporary employees, contract employees, and consultants. What special security precautions must an organization consider for such workers, and why are they significant?
Overall, temporary employees, contract employees, and contractors are not subject to the same rigorous screening and contractual obligations, but they do still have access to sensitive information in the organization. Temporary employees are hired by the organization to serve in a temp position or to supplement the existing workforce. They do not actually work for the organization, rather they are employees of the temp agency and the organization pays the temp agency. Because a temp employee is often not subjected to the same contractual obligations and policies, their access to importation should be limited to only that which is absolutely necessary for their duties. An organization can also request to have the temp employee sign nondisclosure and fair use policies, however the agency may not require this. A contract employee is typically hired to perform specific services for an organization. The contract is typically between the host and parent company and not with the individual. Often contract employees need physical access to locations rather than access to information (with exceptions of technology contract positions) and to preserve security they should only have access to the places that they need, not free reign of a campus/building/office, and it is important that all restrictions and regulations be part of the initial hiring contract. Consultants are typically hired for a one time purpose. They can be self employed or with another organization. Consultants typically have their own security requirements and contractual obligations coming into the job, and all contracts need to be very specific and agreed upon before the job and before they enter the premises.
What is separation of duties? How can it be used to improve an organization's information security practices?
Separation of duties is extremely important and effective in protecting assets. It is a practice that requires tasks involving sensitive information to be completely or performed by at least two people. This means that one single person does not control access to highly sensitive assets. This can be used to improve information security practices because it keeps the employees accountable to their coworkers.
What functions does the CISO perform?
The CISO is usually the top information security officer in an organization and normally not an executive level position. This role normally reports to the Chief Information Officer (CIO). CISOs are business managers first and technologists second, but must be well versed in all areas of information security. In many cases, the CISO is the architect of the information security program. Their functions usually include:
List and describe the options for placing the information security function within the organization. Discuss the advantages and disadvantages of each option.
The Information Technology Department - Peer of Subfunction groups such as Networking, Application Development, and Help Desk/Support (Most Common among large corporations) Standalone Department (Growing Trend among newer companies) Security - Peer of Physical Security or Protective Services Administrative Services - Peer of Human Resources, Purchasing Insurance/Risk Management Legal Department
What career paths do most experienced professionals take when moving into information security? Are other pathways available? If so, describe them.
The most common career paths for Information Security Professionals are CISO(Chief Information Security Officer) or CIO(Chief Information Officer). There are many other pathways available such as IT, Physical Security, and Administrative Services, just to name a few. Information Security professional can work in IT as a peer of other subfunctions like networks, application development and help desk. Also working in physical security, as a peer of physical security or protective services and Administrative services as a peer of human resources and purchasing.
What rationale should an aspiring information security professional use in acquiring professional credentials?
The most important rationale an aspiring information security professional should have is a mentality of "education is never complete" (Whitman, p. 607). Since technology is always rapidly changing, the credentials you have today may not be valid in the following years, and likewise your knowledge of technology. The idea is to not take certification or mastery of an area as permanent, due to technologies' evolution; there is no end completion with information security professionals.
List and describe the credentials for the information security certifications mentioned in this chapter.
There are numerous credentials and certifications currently available to security professionals and the list grows longer with each passing day. Some of the more popular certifications mentioned in this chapter include: ISC^2 or International Information Systems Security Certification Consortium - This family of certifications focuses on the higher level security management functions and contain some of the more prestigious certifications currently available IASCA - these certifications address needs of management functions and delve into specializations of oversight such as systems auditing GIAC or Global Information Assurance Certification - these certifications require not only a basis of IT knowledge, they also require an active demonstration of applied knowledge. The practical assessment portion of these certifications sets them apart from most certification systems. less