module 7 cyber notes
5 places you can place info security department in your organization
- IT (most common) - Physical security - Administrative services - Insurance and risk management - legal
Friendly departures
- Include resignation, retirement, promotion, or relocation - employee accounts usually continue with new expire data - employees come and go at will, collect their belongings, and leave on their own
Hostile departures
- Includes termination for cause, permanent downsizing, temporary lay-off, or some instances of quitting - Employee collects all belongings and surrenders keys, keycards, and other company property - Employee is escorted out of building
things to be done when an employee is terminated
- access to the organizations systems must be disabled - removable media must be returned - hard drives must be secured - file cabinet locks are to be changed - office door lock is changed - keycard access revoked - personal effect must be removed from the organizations premises
consultants
- contracts are given to them which specify all requirements for information or facility access - security and tech consultants are prescreened, escorted through work areas, and subjected to nondisclosure agreements - their top priority isn't protection of their information but the companies
security manager main roles
- does the day-to-day operation of the infosec program - does the objectives identified by CISO and resolves issues with technicians
when interviewing a candidate, you should
- educate them on certifications and qualifications - limit the information provided to the candidate on the responsibilities and access rights - when doing on-site visits as part of interview, exercise caution when showing candidate around
business partners
- external business making strategic alliances to exchange info, integrate systems, or discuss operations - nondisclosure agreements are taken before any physical integration happens
contract employees
- hired to perform specific services for an organization - contract employees are escorted from room to room and in and out of facility - restrictions are negotiated into contract agreements when they are activated
whats included in background checks
- identity check - education and credential check - previous employment verification - references check - worker's compensation history - motor vehicle records - drug history - credit history
how people enter infosec careers
- law enforcement and military - technical IT professionals - college grads
Chief Information Security Officer (CISO) main roles
- manage the overall infosec program - drafts or approves infosec policies - works with CIO to make strategic plans, tactical plans, and works with security managers on operational plans - makes infosec budgets based on funding - sets priorities on purchase and implementation of infosec projects and tech -makes decisions/recommendations for recruiting, hiring, and firing -acts as spokesperson for info security team
temporary employees
- not usually effect by policies and obligations but if they violate them, possible actions are limited - access is limited to what they need to do
qualifications to be security manager
- often have CISSP (Certified Information Systems Security Professional) or CISM and bachelors in field - ability to draft mid and lower level policies, standards, and guidelines - budgeting, project management, and hiring/firing - ability to manage technicians
personnel control strategies include
- separation of duties - two-person control - job rotation -mandatory vacations to give an organization the ability to audit the work of an employee - need to know - least privilege
security technician main roles
- tasked to configure security hardware and software
qualifications to be security technician
- varied in organizations for expert, certified, or proficient - some experience with particular hardware and software - actual experience in using a technology required
7 big advice for infosec pros
1. always remember business before technology 2. technology provides elegant solutions for some problems but only exacerbates (worsens) others 3. never lose sight of the goal of protecting the organization's info asset 4. be heard and not seen 5. know more than you say; be more skillful than you let on 6. speak to users, not at them 7. your education is never complete
from 2019 to 2029, the infosec field should grow by
31%
Need to know
Defines the minimum level of access for subjects based on their job or business requirements
qualifications to be CISO
bachelor's degree in security or computer-related field CISM (certified information security manager) degree graduate degree experience as security manager
employees often feel threatened when an information security program is
being created or enhanced
for better hiring practices, upper management should learn more about
budgetary needs of information security function
when things are secured from an employee termination, that employee is
given an exit interview to remind them of contractual obligations and to get feedback
for betting hiring practices, IT and general management should
grant appropriate levels of influence and prestige to information security
Seperation of Duties
having tasks divided amongst multiple employees to reduce the breach of CIA triad
CISO needs to know both
infosec and physical security
most people enter infosec through
law enforcement/military and college grads
job rotation (task rotation)
multiple employees train to perform each critical task
Infosec should balance duty to monitor compliance with
needs for education training awareness customer service
EC-Council Certifications
offers: - CEH - CICISO - others in security awareness, fundamental, core, specialist, advanced and management areas
CompTIA certification
offers: - Security+ - CySA+ - PenTest+ - CASP+
ISACA Certifications
offers: - certified information systems manager (CISM) - certified in RISK and information systems control (CRISC) - certified in the Governance of Enterprise IT (CGEIT) - certified data privacy solutions engineer (CDPSE)
(ISC)^2 certifications
offers: - certified information systems security professional (CISSP) - systems security certified practitioner (SSCP) - certified secure software lifecycle professional (CSSLP) - certified Authorization Professional - Healthcare information security and privacy practitioner (HCISPP) - certified cloud security professional (CCSP)
SANS/GIAC certifications
offers: - cyber defense - industry control systems - offensive security - digital forensics and incident response - cloud security - management and leadership - GIAC security expert
employment contracts
once a candidate accepts a job offer, they have to agree with all the nondisclosure things
hiring employees is a
responsibility laden (overload/burden) with potential security pitfalls
Least privilege
restricts the employee in access depending on their need to know
when making job descriptions, organizations should avoid
revealing access privileges to prospective employees when advertising open positions
Things to do/use before certification test
self-study guides work experience training media formal training programs mentors and study partners
for better hiring practices, general management should learn more about
skills and qualifications for positions
organizations typically look for technically qualified information security generalists who has a
solid understanding of how an organization operates
how to organization select infosec pros
supply and demand of personnel skills experience credentials
for any type of termination, what must be done
the offices and information used by the employee must be inventoried, files must be stored or destroyed, and all property returned to organizational stores
two-person control (dual control)
two employees must review and approve each other's work
organizations look for candidates who understand (first 5)
−How an organization operates at all levels −That information security is usually a management problem and is seldom exclusively a technical problem −How to work with people and collaborate with end users and the importance of strong communication and writing skills −The role of policy in guiding security efforts, and the role of education and training in making employees and others part of the solution −Most mainstream IT technologies at a general level
4 issues that must be addressed when implementing information security
−Positioning and naming the security function −Staffing for or adjustments to the staffing plan −Assessing the impact of information security on every IT function −Integrating solid information security concepts into personnel management practices
organizations look for candidates who understand (last 4)
−The terminology of IT and information security −The threats facing an organization and how they can become attacks −How to protect an organization's information assets from attacks −How business solutions, including technology-based solutions, can be applied to solve specific information security problems
