Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
TransformingLives. InventingtheFuture. www.iit.edu
I ELLINOIS T UINS TI T
OF TECHNOLOGY
ITM 578 1
Security and Personnel
R...
ITM 578 2
ILLINOIS INSTITUTE OF TECHNOLOGY
Learning Objectives:
Upon completion of this lesson students
should be able to:...
ITM 578 3
ILLINOIS INSTITUTE OF TECHNOLOGY
Learning Objectives:
Upon completion of this lesson students
should be able to:...
ITM 578 4
ILLINOIS INSTITUTE OF TECHNOLOGY
Introduction
 When implementing information security
many human resource issue...
ITM 578 5
ILLINOIS INSTITUTE OF TECHNOLOGY
Introduction
 Understanding impact of change to
personnel management practices...
ITM 578 6
ILLINOIS INSTITUTE OF TECHNOLOGY
Security Function Within an Organization’s Structure
The security function can...
ITM 578 7
ILLINOIS INSTITUTE OF TECHNOLOGY
Security Function Within an Organization’s Structure
The challenge is to desig...
ITM 578 8
ILLINOIS INSTITUTE OF TECHNOLOGY
Audit Function of IT Security
Since Information Security has an
important audi...
ITM 578 9
ILLINOIS INSTITUTE OF TECHNOLOGY
Staffing the Security Function
Selecting information security
personnel is bas...
ITM 578 10
ILLINOIS INSTITUTE OF TECHNOLOGY
Staffing The Security Function
Until the new supply reaches the demand
level,...
ITM 578 11
ILLINOIS INSTITUTE OF TECHNOLOGY
Qualifications and Requirements
Issues in information security hiring:
– Mana...
ITM 578 12
ILLINOIS INSTITUTE OF TECHNOLOGY
Qualifications and Requirements
Organizations typically look for a
technicall...
ITM 578 13
ILLINOIS INSTITUTE OF TECHNOLOGY
Hiring Criteria
When hiring infosec professionals,
organizations frequently l...
ITM 578 14
ILLINOIS INSTITUTE OF TECHNOLOGY
More Hiring Criteria
When hiring infosec professionals,
organizations frequen...
ITM 578 15
ILLINOIS INSTITUTE OF TECHNOLOGY
Entry into the Security Profession
Many information security
professionals en...
ITM 578 16
ILLINOIS INSTITUTE OF TECHNOLOGY
Military and
law enforcement
Securit
y
Security education
Technology
Career Pa...
ITM 578 17
ILLINOIS INSTITUTE OF TECHNOLOGY
Entry into the Security Profession
 Current perception is that a security
pro...
ITM 578 18
ILLINOIS INSTITUTE OF TECHNOLOGY
Information Security Positions
The use of standard job descriptions
can incre...
ITM 578 19
ILLINOIS INSTITUTE OF TECHNOLOGY
Positions in Information Security
FIGURE 11-2 Positions in Information Securit...
ITM 578 20
ILLINOIS INSTITUTE OF TECHNOLOGY
InfoSec Staffing Help Wanted
Definers provide the policies,
guidelines, and s...
ITM 578 21
ILLINOIS INSTITUTE OF TECHNOLOGY
Chief Information Security Officer
 Top information security position in the
...
ITM 578 22
ILLINOIS INSTITUTE OF TECHNOLOGY
CISO Functions
 Manage the overall InfoSec program
 Draft or approves inform...
ITM 578 23
ILLINOIS INSTITUTE OF TECHNOLOGY
Security Manager
 Accountable for the day-to-day operation of the
information...
ITM 578 24
ILLINOIS INSTITUTE OF TECHNOLOGY
Security Technician
 Technically qualified individuals tasked to
configure se...
ITM 578 25
ILLINOIS INSTITUTE OF TECHNOLOGY
Internal Security Consultant
 Typically an expert in some aspect of
informati...
ITM 578 26
ILLINOIS INSTITUTE OF TECHNOLOGY
Credentials of Infosec Professionals
Many organizations seek recognizable
cer...
ITM 578 27
ILLINOIS INSTITUTE OF TECHNOLOGY
Credentials of Infosec Professionals
 Certifying bodies work hard to educate ...
ITM 578 28
ILLINOIS INSTITUTE OF TECHNOLOGY
Credentials of Infosec Professionals
Certifications:
– Certified Information ...
ITM 578 29
ILLINOIS INSTITUTE OF TECHNOLOGY
Credentials of Infosec Professionals
Certifications:
– Security+ [CompTIA]
– ...
ITM 578 30
ILLINOIS INSTITUTE OF TECHNOLOGY
Cost of Being Certified
Certifications cost money, and the
better certificati...
ITM 578 31
ILLINOIS INSTITUTE OF TECHNOLOGY
Cost of Being Certified
Many candidates teach themselves
through trade press ...
ITM 578 32
ILLINOIS INSTITUTE OF TECHNOLOGY
Preparing for Security Certification
FIGURE 11-3 Preparing for Security Certif...
ITM 578 33
ILLINOIS INSTITUTE OF TECHNOLOGY
Advice for Information Security Professionals
 If you are a future informatio...
ITM 578 34
ILLINOIS INSTITUTE OF TECHNOLOGY
Employment Policies and Practices
General management should integrate
solid i...
ITM 578 35
ILLINOIS INSTITUTE OF TECHNOLOGY
Hiring and Termination Issues
From an information security
perspective, the h...
ITM 578 36
ILLINOIS INSTITUTE OF TECHNOLOGY
Hiring Issues
FIGURE 11-4 Hiring Issues
Certifications
Background Checks
Coven...
ITM 578 37
ILLINOIS INSTITUTE OF TECHNOLOGY
Job Descriptions
Inserting information security
perspectives into the hiring ...
ITM 578 38
ILLINOIS INSTITUTE OF TECHNOLOGY
Interviews
 An opening within Information Security
opens up a unique opportun...
ITM 578 39
ILLINOIS INSTITUTE OF TECHNOLOGY
Background Checks
 A background check is an investigation into a
candidate’s ...
ITM 578 40
ILLINOIS INSTITUTE OF TECHNOLOGY
Fair Credit Reporting Act
 Federal regulations exist in the use of
personal i...
ITM 578 41
ILLINOIS INSTITUTE OF TECHNOLOGY
Employment Contracts
Once a candidate has accepted the job
offer, the employm...
ITM 578 42
ILLINOIS INSTITUTE OF TECHNOLOGY
Employment Contracts
New employees, however may find
policies classified as “...
ITM 578 43
ILLINOIS INSTITUTE OF TECHNOLOGY
New Hire Orientation
 As new employees are introduced into the
organization’s...
ITM 578 44
ILLINOIS INSTITUTE OF TECHNOLOGY
On-the-Job Security Training
 As part of the new hire’s ongoing job
orientati...
ITM 578 45
ILLINOIS INSTITUTE OF TECHNOLOGY
Performance Evaluation
 To heighten information security awareness
and change...
ITM 578 46
ILLINOIS INSTITUTE OF TECHNOLOGY
Termination
When an employee leaves an
organization, there are a number of
se...
ITM 578 47
ILLINOIS INSTITUTE OF TECHNOLOGY
Termination Tasks
 When an employee leaves, several tasks must
be performed:
...
ITM 578 48
ILLINOIS INSTITUTE OF TECHNOLOGY
Exit Interview
 In addition, many organizations use an exit
interview
 Obtai...
ITM 578 49
ILLINOIS INSTITUTE OF TECHNOLOGY
Exit Scenarios
 From a security standpoint, security cannot
risk the exposure...
ITM 578 50
ILLINOIS INSTITUTE OF TECHNOLOGY
Hostile Departure Procedure
 Termination, downsizing, lay off, or quitting
– ...
ITM 578 51
ILLINOIS INSTITUTE OF TECHNOLOGY
Friendly Departure Procedure
 Retirement, promotion, or relocation
– Employee...
ITM 578 52
ILLINOIS INSTITUTE OF TECHNOLOGY
Termination
 In all circumstances, offices and information
used by the employ...
ITM 578 53
ILLINOIS INSTITUTE OF TECHNOLOGY
Termination (continued)
 Only by scrutinizing systems logs after the
employee...
ITM 578 54
ILLINOIS INSTITUTE OF TECHNOLOGY
Security Considerations For Nonemployees
 A number of individuals who are not...
ITM 578 55
ILLINOIS INSTITUTE OF TECHNOLOGY
Temporary Employees
 Temporary employees: hired by the organization to
serve ...
ITM 578 56
ILLINOIS INSTITUTE OF TECHNOLOGY
Maintenance Personnel
 Internal maintenance and custodial
personnel who may h...
ITM 578 57
ILLINOIS INSTITUTE OF TECHNOLOGY
Contract Employees
 Contract employees are typically hired to
perform specifi...
ITM 578 58
ILLINOIS INSTITUTE OF TECHNOLOGY
Consultants
 Consultants should be handled like contract
employees, with spec...
ITM 578 59
ILLINOIS INSTITUTE OF TECHNOLOGY
Business Partners
 Businesses find themselves in strategic alliances
with oth...
ITM 578 60
ILLINOIS INSTITUTE OF TECHNOLOGY
Separation of Duties & Collusion
 The completion of a significant task that
i...
ITM 578 61
ILLINOIS INSTITUTE OF TECHNOLOGY
Separation of Duties & Collusion
 A similar concept is that of two-man contro...
ITM 578 62
ILLINOIS INSTITUTE OF TECHNOLOGY
Separation of Duties & Collusion
 Another control used is job rotation where
...
ITM 578 63
ILLINOIS INSTITUTE OF TECHNOLOGY
Preventing Collusion
FIGURE 11-6 Preventing Collusion
Separation of Duties
Wor...
ITM 578 64
ILLINOIS INSTITUTE OF TECHNOLOGY
Privacy and the Security of Personnel Data
 Organizations are required by law...
ITM 578 65
ILLINOIS INSTITUTE OF TECHNOLOGY
The End…
Discussion!
Nächste SlideShare
Wird geladen in …5
×

Security and personnel

Information Technology & Management Program

  • Als Erste(r) kommentieren

Security and personnel

  1. 1. TransformingLives. InventingtheFuture. www.iit.edu I ELLINOIS T UINS TI T OF TECHNOLOGY ITM 578 1 Security and Personnel Ray Trygstad ITM 578 Section 071 Summer 2003 Master of Information Technology & Management Program CenterforProfessional Development Slides based on Whitman, M. and Mattord, H., Principles of InformationSecurity; Thomson Course Technology 2003
  2. 2. ITM 578 2 ILLINOIS INSTITUTE OF TECHNOLOGY Learning Objectives: Upon completion of this lesson students should be able to: – Describe where and how the information security function is positioned within organizations – Discuss issues and concerns about staffing the information security function – Describe credentials that professionals in the information security field can acquire
  3. 3. ITM 578 3 ILLINOIS INSTITUTE OF TECHNOLOGY Learning Objectives: Upon completion of this lesson students should be able to: – Recognize how an organization’s employment policies and practices can support the information security effort – Explain special security precautions necessary for nonemployees – Recognize the need for the separation of duties. – Describe special requirements needed for the privacy of personnel data
  4. 4. ITM 578 4 ILLINOIS INSTITUTE OF TECHNOLOGY Introduction  When implementing information security many human resource issues must be addressed 1. How to position and name the security function 2. Planning of proper staffing for the information security function. 3. Understand the impact of information security across every role in the IT function & adjust job descriptions and documented practices accordingly 4. General management must work with IS professionals to integrate solid information security concepts into organizational personnel management practices
  5. 5. ITM 578 5 ILLINOIS INSTITUTE OF TECHNOLOGY Introduction  Understanding impact of change to personnel management practices of the organization is important in success of implementation  Employees often feel threatened when an organization is creating or enhancing an overall information security program  Quelling doubts and reassuring employees is a fundamental part of implementation  It’s important to supply resources to gather and respond quickly to employee feedback
  6. 6. ITM 578 6 ILLINOIS INSTITUTE OF TECHNOLOGY Security Function Within an Organization’s Structure The security function can be placed within the: – IT function – Physical security function – Administrative services function – Insurance and risk management function – Legal department
  7. 7. ITM 578 7 ILLINOIS INSTITUTE OF TECHNOLOGY Security Function Within an Organization’s Structure The challenge is to design a structure that balances the competing needs of the communities of interest Organizations compromise to balance needs of enforcement with needs for education, training, awareness, and customer service
  8. 8. ITM 578 8 ILLINOIS INSTITUTE OF TECHNOLOGY Audit Function of IT Security Since Information Security has an important audit function, some feel it should not be in the IT organization This is based on the principle that audit organizations should be external to the area audited
  9. 9. ITM 578 9 ILLINOIS INSTITUTE OF TECHNOLOGY Staffing the Security Function Selecting information security personnel is based on many criteria, including supply and demand Many professionals enter the security market by gaining skills, experience, and credentials to qualify as new supply
  10. 10. ITM 578 10 ILLINOIS INSTITUTE OF TECHNOLOGY Staffing The Security Function Until the new supply reaches the demand level, organizations must pay higher costs associated with the current limited supply When supply reaches a level at or above demand, organizations hiring these skills can become selective so the cost they are willing to pay drops Currently the information security industry is in a period of high demand
  11. 11. ITM 578 11 ILLINOIS INSTITUTE OF TECHNOLOGY Qualifications and Requirements Issues in information security hiring: – Management should learn more about position requirements and qualifications – Upper management should also learn more about the budgetary needs of the information security function – Management needs to learn more about the level of influence and prestige the information security function should be given in order to be effective
  12. 12. ITM 578 12 ILLINOIS INSTITUTE OF TECHNOLOGY Qualifications and Requirements Organizations typically look for a technically-qualified information security generalist In the information security discipline, over-specialization is often a risk and it is important to balance technical skills with general information security knowledge
  13. 13. ITM 578 13 ILLINOIS INSTITUTE OF TECHNOLOGY Hiring Criteria When hiring infosec professionals, organizations frequently look for individuals who understand: – How an organization operates at all levels – Information security is usually a management problem and is seldom an exclusively technical problem – People, and have strong communications and writing skills – The roles of policy and education and training
  14. 14. ITM 578 14 ILLINOIS INSTITUTE OF TECHNOLOGY More Hiring Criteria When hiring infosec professionals, organizations frequently look for individuals who understand: – The threats and attacks facing an organization – How to protect the organization from attacks – How business solutions can be applied to solve specific information security problems – Many of the most common mainstream IT technologies as generalists – The terminology of IT and information security
  15. 15. ITM 578 15 ILLINOIS INSTITUTE OF TECHNOLOGY Entry into the Security Profession Many information security professionals enter the field through one of two career paths: – ex-law enforcement and military personnel – technical professionals working on security applications and processes Today, students are selecting and tailoring degree programs to prepare for work in security
  16. 16. ITM 578 16 ILLINOIS INSTITUTE OF TECHNOLOGY Military and law enforcement Securit y Security education Technology Career Paths to InfoSec Positions FIGURE 11-1 Career Paths to Information Security Positions
  17. 17. ITM 578 17 ILLINOIS INSTITUTE OF TECHNOLOGY Entry into the Security Profession  Current perception is that a security professional must first be a proven professional in another field of IT  IT professionals moving into information security often focus on the technology to the exclusion of general information security issues  Organizations can foster greater professionalism in the field through clearly defined expectations and position descriptions
  18. 18. ITM 578 18 ILLINOIS INSTITUTE OF TECHNOLOGY Information Security Positions The use of standard job descriptions can increase the degree of professionalism in the information security field as well as improve the consistency of roles and responsibilities between organizations Organizations that are revising the roles and responsibilities of InfoSec staff can consult references
  19. 19. ITM 578 19 ILLINOIS INSTITUTE OF TECHNOLOGY Positions in Information Security FIGURE 11-2 Positions in Information Security Chief InformationChief Information Security Officer CISOSecurity Officer CISO SecuritySecurity ConsultantConsultant SecuritySecurity AdministratorAdministrator SecuritySecurity ManagerManager SecuritySecurity OfficerOfficer SecuritySecurity TechnicianTechnician
  20. 20. ITM 578 20 ILLINOIS INSTITUTE OF TECHNOLOGY InfoSec Staffing Help Wanted Definers provide the policies, guidelines, and standards Builders are the real techies, who create and install security solutions Operators run and administer the security tools, perform security monitoring, and continuously improve processes
  21. 21. ITM 578 21 ILLINOIS INSTITUTE OF TECHNOLOGY Chief Information Security Officer  Top information security position in the organization – Not usually an executive – Frequently reports to the CIO/CTO  Qualifications & position requirements – Often a CISSP – Graduate degree – Experience as a security manager  Business managers first—technologists second; must also be conversant in all areas of security, including technical, planning, and policy
  22. 22. ITM 578 22 ILLINOIS INSTITUTE OF TECHNOLOGY CISO Functions  Manage the overall InfoSec program  Draft or approves information security policies  Work with the CIO on strategic plans, develops tactical plans, and work with security managers on operational plans  Develop InfoSec budgets based on funding  Set priorities for InfoSec projects & technology  Make decisions in recruiting, hiring, and firing of security staff  Act as spokesperson for the security team
  23. 23. ITM 578 23 ILLINOIS INSTITUTE OF TECHNOLOGY Security Manager  Accountable for the day-to-day operation of the information security program  Accomplishes objectives as identified by the CISO  Qualifications and position requirements: – Not uncommon to have a CISSP – Traditionally, managers have earned the CISSP while technical professionals earned the Global Information Assurance Certification – Must have the ability to draft middle- and lower-level policies as well as standards and guidelines – They must have experience in budgeting, project management, and hiring and firing – They must also be able to manage technicians, both in the assignment of tasks and the monitoring of activities
  24. 24. ITM 578 24 ILLINOIS INSTITUTE OF TECHNOLOGY Security Technician  Technically qualified individuals tasked to configure security hardware and software  Tend to be specialized, focusing on one major security technology and further specializing in one software or hardware solution  Qualifications and position requirements: – Organizations prefer expert, certified, proficient technicians – Job descriptions cover some level of experience with a particular hardware and software package – Sometimes familiarity with a technology secures an applicant an interview; however, experience in using the technology is usually required
  25. 25. ITM 578 25 ILLINOIS INSTITUTE OF TECHNOLOGY Internal Security Consultant  Typically an expert in some aspect of information security  Usually preferable to involve a formal security services company, it is not unusual to find a qualified individual consultant  Must be highly proficient in the managerial aspects of security  Information security consultants usually enter the field after working as experts in the discipline and often have experience as a security manager or CISO
  26. 26. ITM 578 26 ILLINOIS INSTITUTE OF TECHNOLOGY Credentials of Infosec Professionals Many organizations seek recognizable certifications to indicate proficiency level associated with various security positions Most certifications are relatively new and not fully understood by hiring organizations
  27. 27. ITM 578 27 ILLINOIS INSTITUTE OF TECHNOLOGY Credentials of Infosec Professionals  Certifying bodies work hard to educate the general public on value and qualifications of their certificate recipients  Employers trying to understand the match between certifications and the position requirements & candidates trying to gain meaningful employment based on newly received certifications
  28. 28. ITM 578 28 ILLINOIS INSTITUTE OF TECHNOLOGY Credentials of Infosec Professionals Certifications: – Certified Information Systems Security Professional (CISSP) & Systems Security Certified Practitioner (SSCP) [(ISC)2 ] – Global Information Assurance Certification (GIAC) [SANS Institute] – Security Certified Professional (SCP) [SCP] – TruSecure ICSA Certified Security Associate (TICSA) & TruSecure ICSE Certified Security Expert (TICSE) [TruSecure]
  29. 29. ITM 578 29 ILLINOIS INSTITUTE OF TECHNOLOGY Credentials of Infosec Professionals Certifications: – Security+ [CompTIA] – Certified Information Systems Auditor (CISA) & Certified Information Security Manager (CISM) [ISACA] – Certified Information Forensics Investigator (CIFI) [ISFA] – Computer and Network Security Technologies Graduate Certificate [IIT]
  30. 30. ITM 578 30 ILLINOIS INSTITUTE OF TECHNOLOGY Cost of Being Certified Certifications cost money, and the better certifications can be quite expensive - cost for training can also be significant Even an experienced professional finds it difficult to sit for one of these exams without some preparation
  31. 31. ITM 578 31 ILLINOIS INSTITUTE OF TECHNOLOGY Cost of Being Certified Many candidates teach themselves through trade press books others prefer the structure of formal training Before attempting a certification exam, do your homework and review the exam criteria, its purpose and requirements in order to ensure that the time and energy spent pursuing the certification are well spent
  32. 32. ITM 578 32 ILLINOIS INSTITUTE OF TECHNOLOGY Preparing for Security Certification FIGURE 11-3 Preparing for Security Certification Self-Study Guides Certification Mentors & Study Partners Work Experience Training Media Formal Training Programs
  33. 33. ITM 578 33 ILLINOIS INSTITUTE OF TECHNOLOGY Advice for Information Security Professionals  If you are a future information security professional, you can benefit from these suggestions on entering the information security job market: – Always remember: business first, technology last – It’s all about the information – Be heard and not seen – Know more than you say, be more skillful than you let on – Speak to users, not at them – Your education is never complete
  34. 34. ITM 578 34 ILLINOIS INSTITUTE OF TECHNOLOGY Employment Policies and Practices General management should integrate solid information security concepts into the organization’s employment policies and practices If the organization can include security as a documented part of every employee’s job description, perhaps information security will be taken more seriously
  35. 35. ITM 578 35 ILLINOIS INSTITUTE OF TECHNOLOGY Hiring and Termination Issues From an information security perspective, the hiring of employees is a responsibility laden with potential security pitfalls The CISO and information security manager should establish a dialogue with the Human Resources department to provide an information security viewpoint for hiring personnel
  36. 36. ITM 578 36 ILLINOIS INSTITUTE OF TECHNOLOGY Hiring Issues FIGURE 11-4 Hiring Issues Certifications Background Checks Covenants & Agreements Policies Contracts
  37. 37. ITM 578 37 ILLINOIS INSTITUTE OF TECHNOLOGY Job Descriptions Inserting information security perspectives into the hiring process begins with reviewing and updating all job descriptions To prevent people from applying for positions based solely on access to sensitive information, the organization should avoid revealing access privileges to prospective employees when advertising positions
  38. 38. ITM 578 38 ILLINOIS INSTITUTE OF TECHNOLOGY Interviews  An opening within Information Security opens up a unique opportunity for the security manager to educate HR on the certifications, experience, and qualifications of a good candidate  Information security should advise HR to limit information provided to the candidate on the responsibilities and access rights the new hire would have  For those organizations that include on-site visits as part of interviews, it is important to use caution when showing a candidate around the facility
  39. 39. ITM 578 39 ILLINOIS INSTITUTE OF TECHNOLOGY Background Checks  A background check is an investigation into a candidate’s past  There are regulations that govern such investigations  Background checks differ in the level of detail and depth with which the candidate is examined: – Identity checks – Education and credential checks – Previous employment verification – References checks – Worker’s Compensation history – Motor vehicle records – Drug history – Credit history – Civil court history – Criminal court history
  40. 40. ITM 578 40 ILLINOIS INSTITUTE OF TECHNOLOGY Fair Credit Reporting Act  Federal regulations exist in the use of personal information in employment practices, including the Fair Credit Reporting Act (FCRA)  Background reports contain information on a job candidate’s credit history, employment history, and other personal data  FCRA prohibits employers from obtaining these reports unless the candidate is informed
  41. 41. ITM 578 41 ILLINOIS INSTITUTE OF TECHNOLOGY Employment Contracts Once a candidate has accepted the job offer, the employment contract becomes an important security instrument Many security policies require an employee to agree in writing – If an existing employee refuses to sign these contracts, the security personnel are placed in a difficult situation
  42. 42. ITM 578 42 ILLINOIS INSTITUTE OF TECHNOLOGY Employment Contracts New employees, however may find policies classified as “employment contingent upon agreement,” whereby the employee is not offered the position unless he/she agrees to the binding organizational policies
  43. 43. ITM 578 43 ILLINOIS INSTITUTE OF TECHNOLOGY New Hire Orientation  As new employees are introduced into the organization’s culture and workflow, they should receive an extensive information security briefing on all major policies, procedures, and requirements for information security  The levels of authorized access are outlined, and training provided on the secure use of information systems  By the time employees are ready to report to their positions, they should be thoroughly briefed, and ready to perform their duties securely
  44. 44. ITM 578 44 ILLINOIS INSTITUTE OF TECHNOLOGY On-the-Job Security Training  As part of the new hire’s ongoing job orientation, and as part of every employee’s security responsibilities, the organization should conduct periodic security awareness training  Keeping security at the forefront of employees’ minds and minimizing employee mistakes is an important part of the information security awareness mission  Formal external and informal internal seminars also increase the level of security awareness for all employees, especially security employees
  45. 45. ITM 578 45 ILLINOIS INSTITUTE OF TECHNOLOGY Performance Evaluation  To heighten information security awareness and change workplace behavior, organizations should incorporate information security components into employee performance evaluations  Employees pay close attention to job performance evaluations, and if the evaluations include information security tasks, employees are more motivated to perform these tasks at a satisfactory level
  46. 46. ITM 578 46 ILLINOIS INSTITUTE OF TECHNOLOGY Termination When an employee leaves an organization, there are a number of security-related issues Key is protection of all information to which employee had access
  47. 47. ITM 578 47 ILLINOIS INSTITUTE OF TECHNOLOGY Termination Tasks  When an employee leaves, several tasks must be performed: – Revoke access to the organization’s systems – Return removable media – Secure hard drives – Change file cabinet locks – Change office door lock – Revoke keycard access – Remove all personal effects from the organization’s premises  Once cleared—if circumstances dictate— former employees should be escorted from the premises
  48. 48. ITM 578 48 ILLINOIS INSTITUTE OF TECHNOLOGY Exit Interview  In addition, many organizations use an exit interview  Obtain feedback on the employee’s tenure in the organization  Remind the departing employee of contractual obligations, such as nondisclosure agreements  Also remind departing employee that if they fail to comply with contractual obligations, civil or criminal action may result
  49. 49. ITM 578 49 ILLINOIS INSTITUTE OF TECHNOLOGY Exit Scenarios  From a security standpoint, security cannot risk the exposure of organizational information  Simplest and best method to handle the outprocessing of an employee is to select one of the scenarios that follows, based on the employee’s reasons for leaving – Hostile departure (nonvoluntary) procedure: termination, downsizing, lay off, or quitting – Friendly departure (voluntary): retirement, promotion, or relocation
  50. 50. ITM 578 50 ILLINOIS INSTITUTE OF TECHNOLOGY Hostile Departure Procedure  Termination, downsizing, lay off, or quitting – Terminate all logical and keycard access before employee is aware – As soon as employee reports for work, employee is escorted into supervisor’s office – Upon receiving notice, employee is politely escorted to working space and allowed to collect personal belongings – Employee asked to surrender all keys, keycards, and other company property – Former employee then politely escorted out of the building
  51. 51. ITM 578 51 ILLINOIS INSTITUTE OF TECHNOLOGY Friendly Departure Procedure  Retirement, promotion, or relocation – Employee may have tendered notice well in advance of the actual departure date – Actually makes it harder for security to maintain positive control over the employee’s access and information usage – Employee access is usually allowed to continue with a new expiration date – Employees come and go at will and collect their own belongings, and leave on their own – Asked to drop off all organizational property “on their way out the door”
  52. 52. ITM 578 52 ILLINOIS INSTITUTE OF TECHNOLOGY Termination  In all circumstances, offices and information used by the employee must be inventoried, their files stored or destroyed, and all property returned to organizational stores  It is possible that the employees foresee departure well in advance, and begin collecting organizational information or anything that could be valuable in their future employment
  53. 53. ITM 578 53 ILLINOIS INSTITUTE OF TECHNOLOGY Termination (continued)  Only by scrutinizing systems logs after the employee has departed, and sorting out authorized actions from systems misuse or information theft can the organization determine if there has been a breach of policy or a loss of information  In the event that information is illegally copied or stolen, the action should be declared an incident and the appropriate policy followed
  54. 54. ITM 578 54 ILLINOIS INSTITUTE OF TECHNOLOGY Security Considerations For Nonemployees  A number of individuals who are not subject to rigorous screening, contractual obligations, and eventual secured termination often have access to sensitive organizational information  Relationships with individuals in this category should be carefully managed to prevent a possible information leak or theft
  55. 55. ITM 578 55 ILLINOIS INSTITUTE OF TECHNOLOGY Temporary Employees  Temporary employees: hired by the organization to serve in a temporary position or to supplement existing workforce  As they are not employed by the host organization, they are often not subject to the contractual obligations or general policies; if these individuals breach a policy or cause a problem actions are limited  From a security standpoint, access to information for these individuals should be limited to that necessary to perform their duties  Ensure that the temp’s supervisor restricts the information to which they have access
  56. 56. ITM 578 56 ILLINOIS INSTITUTE OF TECHNOLOGY Maintenance Personnel  Internal maintenance and custodial personnel who may have access to IT assets need to have necessary clearances even if handling these assets is not part of their regular job  Contract and warranty service personnel need to be supervised when working on any equipment with access to sensitive or classified data  Contract custodial personnel must be bonded
  57. 57. ITM 578 57 ILLINOIS INSTITUTE OF TECHNOLOGY Contract Employees  Contract employees are typically hired to perform specific services for the organization  The host company often makes a contract with a parent organization rather than with an individual for a particular task  In a secure facility, all contract employees are escorted from room to room, as well as into and out of the facility  There is also the need for certain restrictions or requirements to be negotiated into the contract agreements when they are activated
  58. 58. ITM 578 58 ILLINOIS INSTITUTE OF TECHNOLOGY Consultants  Consultants should be handled like contract employees, with special requirements for information or facility access requirements integrated into the contract before these individual are allowed outside the conference room  Security and technology consultants especially must be prescreened, escorted, and subjected to nondisclosure agreements to protect the organization  Just because you pay a security consultant, doesn’t make the protection of your information his or her number one priority
  59. 59. ITM 578 59 ILLINOIS INSTITUTE OF TECHNOLOGY Business Partners  Businesses find themselves in strategic alliances with other organizations, desiring to exchange information, integrate systems, or simply to discuss operations for mutual advantage  There must be a meticulous, deliberate process of determining what information is to be exchanged, in what format, and to whom  Nondisclosure agreements and the level of security of both systems must be examined before any physical integration takes place, as system connection means that the vulnerability of one system is the vulnerability of all
  60. 60. ITM 578 60 ILLINOIS INSTITUTE OF TECHNOLOGY Separation of Duties & Collusion  The completion of a significant task that involves sensitive information should require two people using the check and balance method to avoid collusion – If one person has the authorization to access a particular set of information, there may be nothing to prevent this individual from copying it and removing it from the premises  Check and balance method requires two or more people to conspire to commit an incident, known as collusion.
  61. 61. ITM 578 61 ILLINOIS INSTITUTE OF TECHNOLOGY Separation of Duties & Collusion  A similar concept is that of two-man control, when two individuals review and approve each other’s work before the task is categorized as finished  In two-man control, each person completely finishes necessary work, and then submits it to the co-worker.  Each co-worker examines the work performed, double checking the actions performed, ensuring no errors or inconsistencies exist
  62. 62. ITM 578 62 ILLINOIS INSTITUTE OF TECHNOLOGY Separation of Duties & Collusion  Another control used is job rotation where employees know each others job skills  A mandatory vacation, of at least one week, provides the ability to audit the work  Need-to-know and least privilege ensures that no unnecessary access to data occurs, and that only those individuals who must access the data do so
  63. 63. ITM 578 63 ILLINOIS INSTITUTE OF TECHNOLOGY Preventing Collusion FIGURE 11-6 Preventing Collusion Separation of Duties Work is divided up. Each team member performs only his or her portion of the task sequence. Two-man control Team members review each other’s work
  64. 64. ITM 578 64 ILLINOIS INSTITUTE OF TECHNOLOGY Privacy and the Security of Personnel Data  Organizations are required by law to protect employee information that is sensitive or personal  This includes employee addresses, phone numbers, social security numbers, medical conditions, and even names and addresses of family and relatives  This responsibility also extends to customers, patients, and business relationships
  65. 65. ITM 578 65 ILLINOIS INSTITUTE OF TECHNOLOGY The End… Discussion!

×