Professional Documents
Culture Documents
Topic 6 - Security Management Practices
Topic 6 - Security Management Practices
Topic 6 - Security Management Practices
Management
Practices
1
Security Employment Practices (1)
2
Hiring (a)
3
Job Descriptions (i)
• Integrating InfoSec into the hiring process begins with
reviewing and updating job descriptions to include InfoSec
responsibilities.
• Organizations that provide complete job descriptions when
advertising open positions should omit the elements of the
job description that describe access privileges or the type
and sensitivity of information to which the position would
have access.
4
Job Descriptions (i)
7
• Some of the common types of background checks are as follows:
üIdentity checks - Personal identity validation; is the person who he or she claims to be?
üEducation and credential checks - Institutions attended, degrees and certifications
earned, and certification status
üPrevious employment verification - Where candidates worked, why they left, what they
did, and for how long
üReference checks - Validity of references and integrity of reference sources
üWorker's compensation history - Claims from worker's compensation
üMotor vehicle records - Driving records, suspensions, and other items noted in the
applicant's public record
üDrug history - Drug screening and drug usage, past and present
üMedical history - Current and previous medical conditions, usually associated with
physical capability to perform the work in the specified position
üCredit history - Credit problems, financial problems, and bankruptcy
üCivil court history - Involvement as the plaintiff or defendant in civil suits
üCriminal court history - Criminal background, arrests, convictions, and time served 8
Contracts and Employment
(b)
9
New Hire Orientation (i)
By the time new
employees are
ready to report to
This orientation their positions,
should cover they should be
As part of their
policies, security thoroughly
orientation, new
procedures, briefed on the
employees should
access levels, and security
receive an
training on the component of
extensive InfoSec
secure use of their particular
briefing.
information jobs as well as the
systems. rights and
responsibilities of
all personnel in
the organization. 10
On-the-Job Security Training (ii)
11
An organization can downsize, be bought out, be
taken over, shut down, go out of business, or simply
lay off, fire, or relocate its workforce.
12
Termination Issues (c)
1) Hostile departure (usually involuntary), including termination, downsizing, lay- off, or resignation
Security cuts off all logical and key card access before the employee is terminated.
As soon as the employee reports for work, he or she is escorted into the supervisor's office to receive
the bad news.
The individual is then escorted from the workplace and informed that his or her personal property will
be forwarded, or is escorted to his or her office, cubicle, or personal area to collect personal effects
under supervision.
No organizational property is allowed to leave the premises, including digital or hard-copy
information.
Once personal property has been gathered, the employee is asked to surrender all keys, key cards, and
other organizational identification and access devices, PDAs, pagers, cell phones, and all remaining
company property, and is then escorted from the building. 13
2) Friendly departure (voluntary) for retirement, promotion, or
relocation
14
There are various ways of monitoring and controlling employees to
minimize their opportunities to misuse information.
Security
Practices This control is particularly important in financial matters and can also be
applied to critical information and information systems.
(d)
For example, one programmer might update the software in the
systems, and a supervisor or co-worker might then apply the tested
update to the production system following the procedures of the change
management process.
15
Personnel
Security
Practices (d)
• A practice similar to separation of
duties, known as b) two-person
control (or dual control), requires
that two individuals complete a task
together, and in some cases, review
and approve each other's work
before the task is considered
complete
16
Personnel Security Practices (d)
17
Personnel Security Practices (d)
18
Organizations are required by law to protect sensitive or
personal employee information.
19
Information Security Performance
Measurement (2)
20
lnfoSec Performance Management
21
lnfoSec Performance Management
23
Specifying lnfoSec Measurements (b)
One of the critical tasks in the measurement process is to assess and quantify
what will be measured.
While InfoSec planning and organizing activities may only require time
estimates, you must obtain more detailed measurements when assessing the
effort spent to complete production and project tasks.
This usually means some form of time reporting system, either a paper-based
or automated time accounting mechanism.
24
a) Measurements Development Approach
• One of the priorities in building an InfoSec
process measurement program is
determining whether these measurements
Collecting will be macro- or micro-focus.
lnfoSec • Macro-focus measurements examine the
performance of the overall security program.
Measurements • Micro-focus measurements examine the
(c) performance of an individual control or
group of controls within the InfoSec
program.
• Some organizations may want to conduct a
limited assessment using both macro- and
micro-focus measurements.
25
Collecting lnfoSec Measurements (c)
26
Collecting lnfoSec
Measurements (c)
29
Benchmarking (3)
30
1) Drawing from established security models and frameworks.
2) To look at the paths taken by organizations like the one whose plan
An you are developing:
organizations • which is called benchmarking (or external benchmarking)
usually generate • compare your organization's efforts to those of other organizations
a security you feel are similar in size, structure, or industry.
blueprint by:
• if the practices of the similar organization or industry standard
appear to offer better results, the organization may choose to adopt
all or portions of them.
31
Benchmarking objectives:
32
In InfoSec, two categories of terms describing security practices are commonly used:
The very best recommended practices are nominally referred to as the gold standard
33
Standards of Due Care/Due Diligence (a)
For legal reasons, certain organizations may be compelled to adopt a minimum level of
security.
Organizations that do so to establish a future legal defense may need to verify that they
have done what any prudent organization would do in similar circumstances.
Failure to do so, can expose an organization to legal liability if it can be shown that the
organization was negligent in its application of information protection.
35
Microsoft Security Best
Practices
https://learn.microsoft.com/en-
us/partner-center/customer-security-
best-practices
36
Benchmarking and Best Practices Limitations (c)
Many organizations do not share No two organizations are Recommended practices are a
results with other organizations. identical. moving target.
A successful attack is often Organizations that offer products Security programs must keep
perceived as an organizational or services in the same market abreast of new threats as well as
failure and is kept secret, if may differ dramatically in size, the methods, techniques,
possible. composition, management policies, guidelines, educational
philosophy, organizational and training approaches, and,
culture, technological yes, technologies to combat
infrastructure, and planned them.
expenditures for security. 37
Baselining (d)
38