DATA SECURITY

Week 10
Kent Institute Australia Pty. Ltd.
ABN 49 003 577 302 CRICOS Code: 00161E
RTO Code: 90458 TEQSA Provider Number: PRV12051
Version 2 – 18th December 2015
 Week 10
Chapter 11
Security and
Personnel

2
Learning Objectives (1 of 2)
• Upon completion of this material, you should be able to:
- Describe where and how the information security function should be
positioned within organisations
- Explain the issues and concerns related to staffing the information security
function
- List and describe the credentials that information security professionals can
earn to gain recognition in the field
Learning Objectives (2 of 2)
- Discuss how an organisation’s employment policies and practices can support the
information security effort
- Explain the need for the separation of duties
- Describe the special requirements needed to ensure the privacy of personnel data
Introduction
• When implementing information security, there are many human
resource issues that must be addressed.
- Positioning and naming the security function
- Staffing for, or adjustments to, the staffing plan
- Assessing the impact of information security on every IT function
- Integrating solid information security concepts into personnel management
practices
Introduction (cont)
• Employees often feel threatened when an information security
program is being created or enhanced.
• Perception that the program is a manifestation of a “Big Brother”
attitude
- Will management be monitoring my work or my email?
- Will information security staff go through my hard drive looking for
evidence to fire me ?
- Will these changes impact my job efficiency and effectiveness?
Positioning and Staffing the Security Function
• Information Security should balance duty to monitor compliance
with needs for education, training, awareness, and customer
service.

• Infosec by it’s nature is often at odds with the goals and

objectives of the IT dept.... WHY ?
Positioning and Staffing the Security Function
• The security function can be placed within:
- IT function (traditional approach most common)
 CISO or CSO reporting to the CIO
 Potential conflict of interest
 - assumes the goals, objectives and interests of CIO and CISO are aligned
 CIO in charge of technology, focuses on efficiency and availability processing, accessing
company information
 CISO – is like an internal auditor examining data in transmission and storage, discovery of
security faults and flaws in technology, HW, SW , employees activities and processes
Positioning and Staffing the Security Function
• The security function can be placed within:
- As a result of this contradiction the trend now is to separate Infosec function
from IT Dept into;
 IT as a peer of other subfunctions
 Networks, applications development & help desk
 Physical security function, as a peer of physical security or protective services
 Administrative services function as a peer of HR or purchasing
 Insurance and risk management function
 Legal department
 Staffing the Information Security Function
(1 of 4)
• Selecting personnel is based on several criteria, including some not
within the control of the organisation (supply and demand).
• Many professionals enter security sector by
- IT professionals gaining news skills, experience, and credentials.
- Ex law enforcement or military - national security or cybersecurity
• At present, the information security industry is in a period of high
demand.
• Over-specialisation in a niche skill can can be risky
• Important to balance technical skills with general Infosec knowledge
 Staffing the Information Security
Function (2 of 4)
• Qualifications and requirements
- Often organisations look for technically qualified information security
generalists who understand how an organisation operates
- Important to balance technical skills with general InfoSec knowledge
- When hiring they look for candidates who understand;
 How an organisation operates at all levels
 Information security is usually a management problem, not a technical problem
 Importance of strong communications and writing skills
 The role of policy in guiding security efforts
 Most mainstream IT technologies
 Staffing the Information Security
Function (3 of 4)
• Qualifications and requirements (cont)

- Organisations look for candidates who understand:

 The terminology of IT and information security
 Threats facing an organisation and how they can become attacks
 How to protect an organisation’s assets from information security
attacks
 How business solutions can be applied to solve specific information
security problems
 Staffing the Information Security
Function (4 of 4)
• Information security positions
- Use of standard job descriptions can increase the degree of
professionalism and improve the consistency of roles and
responsibilities between organisations
- Charles Cresson Wood’s book Information Security Roles and
Responsibilities Made Easy offers a set of model job
descriptions
Information Security Positions (1 of 5)
• Chief Information Security Officer (CISO)
- Top information security officer; frequently reports to chief
information officer (CIO)
- Infosec architect, strategy definer
- Manages the overall information security program
- Drafts or approves information security policies
- Works with the CIO on strategic plans
- Develops information security budgets
Information Security Positions (2 of 5)
• Chief Information Security Officer (CISO) (cont)
- Works with Security Managers on operational plans
- Sets priorities for purchase/implementation of
information security projects and technology
- Makes recruiting, hiring and firing decisions or
recommendations
- Acts as spokesperson for information security team
- Typical qualifications: accreditation CISM, graduate degree,
experience
Information Security Positions (3 of 5)

• Chief Security Officer (CSO)

- CISO’s position (logical security) may be combined with
physical security responsibilities
- Knowledgeable in both IS requirements and “guards, gates,
and guns” approach to security
- Experience with planning, policy and budgets
Information Security Positions (4 of 5)
• Security Manager
- Accountable for day-to-day operation of information security program
- Accomplishes objectives as identified by CISO, resolves issues
identified by technicians
- Typical qualifications:
 Often have accreditation, CISSP, CISM, Bachelors degree in technology/security
 Ability to draft middle and lower level policies, standards, and guidelines;
budgeting,
 Project management
 Hiring and firing;
 Ability to manage technicians
Information Security Positions (5 of 5)
• Security Technician/Analyst/Engineer
- Technically qualified employees tasked to configure security
hardware and software
- Tend to be specialised – Risky?
- Typical qualifications:
 Bachelor degree,
 Varied; organisations prefer expert, certified, proficient technician
 Some experience with a particular hardware and software package
 Actual experience in using a technology usually required
Credentials for Information Security
Professionals
• Many organisations seek industry recognised
certifications.
• Most existing certifications are relatively new and not
fully understood by hiring organisations.
Certifications (1 of 5)
• (ISC)2 Certifications
- Certified Information Systems Security Professional (CISSP)
- Consists of 8 Domains
1. Security & risk management
2. Asset security
3. Security engineering
4. Communications and network security
5. Identity and access management
6. Security assessment and testing
7. Security operations
8. Software development security
Certifications (2 of 5)
• (ISC)2 Certifications
- CISSP concentrations (demonstrate advance knowledge)
 Information Systems Security Architecture Professional (ISSAP)
 Information Systems Security Engineering Professional (ISSEP)
 Information Systems Security Management Professional (ISSMP)
Certifications (3 of 5)
• (ISC)2 Certifications (cont)

- Systems Security Certified Practitioner (SSCP)

- Certified Secure Software Lifecycle Professional (CSSLP)
- Certified Cyber Forensics Professional (CCFP)
- HealthCare Information Security and Privacy Practitioner
(HCISPP)
- Certified Cloud Security Professional (CCSP)
- Associate of (ISC)2
Certifications (4 of 5)
• ISACA Certifications
- Certified Information Systems Manager (CISM)
- Certified Information Security Auditor (CISA)
- Certified in the Governance of Enterprise IT (CGEIT)
- Certified in Risk and Information Systems Control (CRISC)
Certifications (5 of 5)
• SANS Global Information Assurance Certification (GIAC)
• EC Council Certified CISO (C|CISO), CEH
• CompTIA’s Security+
• ISFCE Certified Computer Examiner (CCE)
Certification Costs
• More preferred certifications can be expensive.
- Courses USD$2,000-5000 , exams USD$100-750
• Require typically between 2-3 years of Infosec work experience
• Even experienced professionals find exams difficult without some
review.
• Many candidates engage in individual, or group study sessions and
purchase exam review books.
• Before attempting a certification exam, do all homework and review
exam criteria, its purpose, and requirements to ensure that the time
and energy spent pursuing certification are worthwhile.
Advice for Information Security Professionals
• Always remember: business before technology.
• Technology solutions, tools to solve business problems
• Technology provides elegant solutions for some problems,
but only exacerbates others.
• Never lose sight of goal: protection of information assets
• Be heard and not seen.
• Know more than you say; be more skillful than you let on.
• Speak to/with users, not at them.
• Your education is never complete.
Employment Policies and Practices
• An organisation should make information security a
documented part of every employee’s job description.
• General Management community of interest should
integrate solid concepts for information security into the
organisation’s employment policies and practices.
• From information security perspective, hiring of employees
is a responsibility laden with potential security pitfalls.
• The CISO and Information Security Manager should work
with Human Resources (HR) department to incorporate
information security into guidelines used for hiring all
personnel.
Background Checks (1 of 2)
• Investigation into a candidate’s past should be conducted
before organisation extends offer to a candidate.
• Background checks differ in the level of detail and depth
with which a candidate is examined.
Background Checks (2 of 2)
• May include:
- Identity check
- Education and credential check
- Previous employment verification
- References check
- Social media review
- Worker’s compensation history
- Motor vehicle records
- Drug history
- Credit history and more
- Civil & Criminal court history
On-the-Job Security Training
• An organisation should integrate security awareness education into
job orientation and security training.
• Keeping security at the forefront of employees’ minds helps minimise
their mistakes and is an important part of information security
awareness mission.
• External and internal seminars and workshops should also be used to
increase security awareness for all employees, particularly security
employees.
Evaluating Performance
• Organisations should incorporate information security components
into employee performance evaluations.
• Employees pay close attention to job performance evaluations.
- Are more likely to take information security seriously if violations are
documented in them
Termination (1 of 4)
• When an employee leaves an organisation, security-related issues
arise. What are they ?
• Key issue is continuity of protection of all information to which the
employee had access.
• After having delivered keys, keycards, and other business property, the
former employee should be escorted from the premises.
• Many organisations use an exit interview to remind former employees
of their contractual obligations and to obtain feedback.
Termination (2 of 4)
• Hostile departures include termination for cause, permanent
downsizing, temporary layoffs, or some instances of quitting.
- Before the employee is aware, all logical and keycard access is terminated
- Employee collects all belongings and surrenders all keys, keycards, and other
company property
- Employee is then escorted out of the building
Termination (3 of 4)
• Friendly departures include resignation, retirement, promotion, or
relocation.
- Employee may be notified well in advance of departure date
- More difficult for the security to maintain positive control over the employee’s
access and information usage
- Employee accounts usually continue with an expiration date
- Employees come and go at will, collect their own belongings, and leave on
their own
Termination (4 of 4)
• Offices and information used by the employee must be inventoried;
files stored or destroyed; and property returned to organisational
stores.
• Possible that employees foresee departure well in advance and begin
collecting organisational information( files, reports and data) for their
future employment.
• If information has been illegally copied or stolen, report an incident
and follow the appropriate policy.
Internal Control Strategies (1 of 4)
• Separation of duties is a cornerstone in the protection of information
assets and the prevention of financial loss.
- Used to reduce chance that an employee will violate information security;
stipulates that completion of significant tasks requires at least two people
• Two-man control: two individuals review and approve each other’s
work before the task is categorised as finished.
 Figure 10-1 Internal control strategies (4 of 4)

Source: Top left: © Rawpixel.com/Shutterstock.com. Bottom left: ©

Goodluz/Shutterstock.com.
Top right: © imtmphoto/Shutterstock.com. Bottom right: ©
EdBockStock/Shutterstock.com.
Internal Control Strategies (2 of 4)
• Job rotation: Employees know each others’ job skills.
- Ensures no one employee performs actions that cannot be performed and
physically audited by another employee
- Increases chances of discovery wrongdoing
- Reduces the risks to the business from skills gaps due to loss of staff member
• Gardening leave – paid leave used by some companies to restrict the
flow of proprietary information when an employee leaves to join a
competitor.
• Mandatory annual vacations – Why?
Internal Control Strategies (3 of 4)
• In some organisations, employees are required to sign a covenant not
to compete (CNC) or non-compete clause (NCC), which prevents them
from working for a direct competitor within a specified time frame.
• Need-to-know: Only employees with real business need to use
systems information are allowed to do so.
• Least privilege: Employees are restricted in their access and use of
information provided through need-to-know.
Privacy and the Security of Personnel Data
• Organisations required by law to protect sensitive or personal
employee information.
• Includes employee addresses, phone numbers, social security
numbers, medical history/conditions, and family names and
addresses.
• Information security groups should ensure these types of data receive
at least the same level of protection as other important organisational
data.
Summary
• Positioning the information security function within organisations
• Issues and concerns about staffing information security
• Professional credentials of information security professionals
• Organisational employment policies and practices related to successful
information security
• Separation of duties
• Special requirements needed for the privacy of personnel data