ISA3300 chapter 11
Hostile Departure
(Usually Involuntary), Including Termination, Downsizing, Lay- Off, or Resignation—Security cuts off all logical and keycard access before the employee is terminated.
Friendly Departure
(Voluntary) for Retirement, Promotion, or Relocation—The employee may have tendered notice well in advance of the actual departure date, which can make it much more difficult for security to maintain positive control over the employee's access and information usage. Employee accounts are usually allowed to continue, with a new expiration date.
two-person control
: The organization of a task or process such that it requires at least two individuals to work together to complete. Also known as dual control.
collusion:
A conspiracy or cooperation between two or more individuals or groups to commit illegal or unethical actions
mandatory vacation policy:
A requirement that all employees take time off from work, which allows the organization to audit the individual's areas of responsibility.
security technician:
A technically qualified individual who may configure firewalls and IDPSs, implement security software, diagnose and troubleshoot problems, and coordinate with systems and network administrators to ensure that security technical controls are properly implemented. Also known as a security admin.
chief information officer (CIO):
An executive-level position that oversees the organization's computing technology and strives to create efficiency in the processing and access of the organization's information.
Business Partners
Businesses sometimes engage in strategic alliances with other organizations to exchange information, integrate systems, or enjoy some other mutual advantage. In these situations, a prior business agreement must specify the levels of exposure that both organizations are willing to tolerate.
The International Society of Forensic Computer Examiners (ISFCE) offers the Certified Computer Examiner (CCE)® certification. covers the core competencies:
Ethics and law Hardware Networks Operating systems/file systems Preperation Acquisition Authentication Analysis (primarily NTFS) Presentation/Reporting Media Geometry
Certified Authorization Professional (CAP)—
For individuals responsible for maintaining and authorizing systems.
Certified Cyber Forensics Professional (CCFP)—
For individuals with digital forensics responsibility.
Certified Cloud Security Professional (CCSP)—
For individuals with responsibility for cloud-based systems security.
Certified Secure Software Lifecycle Professional (CSSLP)—
For individuals with responsibility for the development and implementation of secure software.
Health Care Information Security and Privacy Practitioner (HCISPP)—
For individuals working in the health care field, or with responsibilities to manage, audit, or secure health care systems.
The GIAC management certifications include:
GIAC Security Leadership Certification (GSLC) GIAC Information Security Professional (GISP) GIAC Certified Project Manager Certification (GCPM)
CISSP concentrations
ISSAP ISSMP ISSEP
(ISC)2 Certifications
The International Information Systems Security Certification Consortium offers security certifications, among them the Certified Information Systems Security Professional (CISSP), the Systems Security Certified Practitioner (SSCP), and the Certified Secure Software Lifecycle Professional (CSSLP).
CRISC (Certified in Risk and Information Systems Control).
The certification positions IT professionals for careers that link IT risk management with enterprise risk management. The areas of knowledge include risk management components, making it of interest to upper-level InfoSec managers.
Certified in the Governance of Enterprise IT (CGEIT) certification
The exam is targeted at upper-level executives (including CISOs and CIOs, directors, and consultants with knowledge and experience in IT governance). The areas of knowledge include risk management components, making it of interest to upper-level InfoSec managers.
task rotation:
The requirement that all critical tasks can be performed by multiple individuals.
job rotation:
The requirement that every employee be able to perform the work of at least one other employee.
Chief Information Security Officer (CISO)
Though not usually an executive-level position, is often considered the top InfoSec officer in the organization. The most common qualifications include working as a security manager as well as experience in planning, policy, and budgets. The most common certifications include the Certified Information Systems Security Professional (CISSP) and the Certified Information Security Manager (CISM)
EC-Council Certifications
a Certified CISO (C|CISO) certification, which is designed to be a unique recognition for those at the peak of their professional careers. The C|CISO tests not only security domain knowledge but executive business management knowledge.
Security Technician
a technically qualified individual who may configure firewalls and intrusion detection and prevention systems (IDPSs), implement secu- rity software, diagnose and troubleshoot problems, and coordinate with systems and net- work administrators to ensure that security technical controls are properly implemented. The role of security technician is the typical InfoSec entry-level position, albeit a technical one
Security Manager
accountable for the day-to-day operation of all or part of the InfoSec program. They accomplish objectives identified by the CISO and resolve issues identified by the technicians. Security managers are often assigned specific managerial duties by the CISO, including policy development, risk assessment, contingency planning, and operational and tactical planning for the security function. it is not uncommon to have a CISSP or CISM.
CISSP
considered to be the most prestigious certification for security managers and CISOs, recognizes mastery of an internationally identified common body of knowledge (CBK) in InfoSec. To sit for the CISSP exam, the candidate must have at least five years of direct, full-time security professional work experience in two or more of 10 domains or four years of direct security work experience in two or more domains and a four-year college degree.
A CISO position is business managers
first and technologists second
CISM
geared toward experienced InfoSec managers and others who may have InfoSec management responsibilities. can assure executive management that a candidate has the required background knowledge needed for effective security management and consulting. This exam is offered annually. To be certified, the applicant must: • Pass the examination • Adhere to a code of ethics promulgated by ISACA • Pursue continuing education as specified • Document five years of InfoSec work experience with at least three years in InfoSec management in three of the four defined areas of practice
Consultants
have their own security requirements and contractual obligations; their contracts should specify their rights of access to information and facilities. Security and technology consultants must be prescreened, escorted, and subjected to nondisclosure agreements to protect the organization from intentional or accidental breaches of confidentiality.
SSCP
more applicable to the security manager than to the technician, as the bulk of its questions focus on the operational nature of InfoSec. focuses on practices, roles, and responsibili- ties as defined by experts from major InfoSec industries.
GIAC Certifications
not only test for knowledge, they require candidates to demonstrate application of that knowledge. can be "enhanced" through the pursuit of Gold or Expert status. requires applicant to complete a written pratical assignment that test the applicants ability to apply skills and knoweledge
CompTIA Certifications
the organization that offered the first vendor-neutral professional IT certifications, the A+ series—now offers several security-related certifications: • Security+ • Mobile App Security+ • CompTIA Advanced Security Practitioner (CASP)
The Certified Information Systems Auditor (CISA) certification,
while not specifically a security certification, does include many InfoSec components. promotes the certification as being appropriate for auditing, networking, and security professionals.
Temporary workers
—are brought in by organizations to fill positions temporarily or to supplement the existing workforce. In many cases, they are actually employees of a temp agency, a company that is paid to supply spe- cially qualified individuals to an organization.
Contract employees—often called contractors
—are typically hired to perform specific services for the organization. In many cases, they are hired via a third-party organization. Typical contract employees include groundskeepers, maintenance services staff, electricians, mechanics, and other repair people, but they can also include pro- fessionals, such as attorneys, technical consultants, and IT specialists.
Some of the common types of background checks are as follows:
• Identity Checks • Education and Credential Checks • Previous Employment Verification • Reference Checks • Worker's Compensation History • Motor Vehicle Records • Drug History • Medical History • Credit History • Civil Court History • Criminal Court History
CISOs should follow six key princi- ples to shape their careers:
• Practice Business Engagement • Focus Initiatives on What Is Learned • Align, Target, and Time Initiatives • Deliver Services •Establish and Maintain Credibility • Manage Relationships
When an employee leaves an organization, the following tasks must be performed:
• The former employee's access to the organization's systems must be disabled. • The former employee must return all removable media, technology, and data. • The former employee's hard drives must be secured. • File cabinet locks must be changed. • Office door locks must be changed. • The former employee's keycard access must be revoked. • The former employee's personal effects must be removed from the premises. • The former employee should be escorted from the premises once keys, keycards, and any remaining organizational property have been turned over.