TOPIC 6 Security

Management
Practices

1
 Security Employment Practices (1)

• The following sections examine important concepts associated with

recruiting, hiring, firing, managing, and releasing human resources.
Including InfoSec responsibilities in every employee's job description and
subsequent performance reviews can make an entire organization take
InfoSec more seriously.

2
 Hiring (a)

• Figure 9-1 highlights some

of the hiring concerns.

3
 Job Descriptions (i)
• Integrating InfoSec into the hiring process begins with
reviewing and updating job descriptions to include InfoSec
responsibilities.
• Organizations that provide complete job descriptions when
advertising open positions should omit the elements of the
job description that describe access privileges or the type
and sensitivity of information to which the position would
have access.

4
Job Descriptions (i)

Individuals who want to gain access to

an organization's information may seek
positions within it based on the
description of access.

Job descriptions should be focused on

the skills and abilities needed by the
candidate rather than describing the
organization's systems and security, and
details of the access or responsibilities
the new hire will have.
5
 Interviews (ii)

When a position within the InfoSec department opens,

the security manager can take the opportunity to
educate HR personnel on the various certifications, the
specific experience each credential requires, and the
qualifications of a good candidate.
When an interview includes a site visit, the tour should
avoid secure and restricted sites because the job
candidate is not yet bound by organizational policy or
employment contract and could observe enough
information about the operations or InfoSec functions to
represent a potential threat to the organization.
6
 A background check should be conducted before
the organization extends an offer to any candidate,
regardless of job level.
Background
Checks (iii) A background check can uncover past criminal
behaviour or other information that suggests a
potential for future misconduct or a vulnerability
that might render a candidate susceptible to
coercion or blackmail.

7
• Some of the common types of background checks are as follows:
üIdentity checks - Personal identity validation; is the person who he or she claims to be?
üEducation and credential checks - Institutions attended, degrees and certifications
earned, and certification status
üPrevious employment verification - Where candidates worked, why they left, what they
did, and for how long
üReference checks - Validity of references and integrity of reference sources
üWorker's compensation history - Claims from worker's compensation
üMotor vehicle records - Driving records, suspensions, and other items noted in the
applicant's public record
üDrug history - Drug screening and drug usage, past and present
üMedical history - Current and previous medical conditions, usually associated with
physical capability to perform the work in the specified position
üCredit history - Credit problems, financial problems, and bankruptcy
üCivil court history - Involvement as the plaintiff or defendant in civil suits
üCriminal court history - Criminal background, arrests, convictions, and time served 8
 Contracts and Employment
(b)

• Once a candidate has accepted a job offer, the

employment contract becomes an important
security instrument.

9
 New Hire Orientation (i)
By the time new
employees are
ready to report to
This orientation their positions,
should cover they should be
As part of their
policies, security thoroughly
orientation, new
procedures, briefed on the
employees should
access levels, and security
receive an
training on the component of
extensive InfoSec
secure use of their particular
briefing.
information jobs as well as the
systems. rights and
responsibilities of
all personnel in
the organization. 10
 On-the-Job Security Training (ii)

• Organizations should conduct the periodic SETA activities to keep

security at the forefront of employees' minds and minimize employee
mistakes.
• Formal external and informal internal seminars also increase the level
of security awareness for all employees, but especially for InfoSec
employees.

11
 An organization can downsize, be bought out, be
taken over, shut down, go out of business, or simply
lay off, fire, or relocate its workforce.

Termination In any event, when an employee leaves an

organization, several security-related concerns arise.
Issues (c)
Two methods for handling employee out-processing

12
 Termination Issues (c)

1) Hostile departure (usually involuntary), including termination, downsizing, lay- off, or resignation

Security cuts off all logical and key card access before the employee is terminated.

As soon as the employee reports for work, he or she is escorted into the supervisor's office to receive
the bad news.
The individual is then escorted from the workplace and informed that his or her personal property will
be forwarded, or is escorted to his or her office, cubicle, or personal area to collect personal effects
under supervision.
No organizational property is allowed to leave the premises, including digital or hard-copy
information.
Once personal property has been gathered, the employee is asked to surrender all keys, key cards, and
other organizational identification and access devices, PDAs, pagers, cell phones, and all remaining
company property, and is then escorted from the building. 13
 2) Friendly departure (voluntary) for retirement, promotion, or
relocation

The employee may have tendered notice well in advance of the

Termination actual departure date, which can make it much more difficult for
Issues (c) security to maintain positive control over the employee's access and
information usage.

Employee accounts are usually allowed to continue, with a new

expiration date. The employee can come and go at will and usually
collects any belongings and leaves without escort. The employee is
asked to drop off all organizational property before departing.

14
 There are various ways of monitoring and controlling employees to
minimize their opportunities to misuse information.

a) Separation of duties (also known as segregation of duties) makes it

difficult for an individual to violate InfoSec and breach the
Personnel confidentiality, integrity, or availability of information.

Security
Practices This control is particularly important in financial matters and can also be
applied to critical information and information systems.
(d)
For example, one programmer might update the software in the
systems, and a supervisor or co-worker might then apply the tested
update to the production system following the procedures of the change
management process.
15
 Personnel
Security
Practices (d)
• A practice similar to separation of
duties, known as b) two-person
control (or dual control), requires
that two individuals complete a task
together, and in some cases, review
and approve each other's work
before the task is considered
complete

16
 Personnel Security Practices (d)

Both job rotation and task rotation

Other controls used to prevent
ensure that no one employee is
personnel from misusing
performing actions that cannot be
information assets are c) job
knowledgeably reviewed by another
rotation and task rotation.
employee.

17
 Personnel Security Practices (d)

Many organizations implement d) a mandatory vacation policy that requires

employees to take a vacation of at least one week per year.

This policy gives the organization a chance to perform a detailed review of

everyone's work and work area.

18
 Organizations are required by law to protect sensitive or
personal employee information.

Security of This responsibility also extends to customers, patients, and

Personnel and anyone with whom the organization has business
relationships.
Personal Data
(e)
InfoSec procedures should ensure that this data receives at
least the same level of protection as the other important
data in the organization.

19
Information Security Performance
Measurement (2)

20
 lnfoSec Performance Management

lnfoSec performance management is

Performance measurements (or
the process of designing,
performance measures) are the data
implementing, and managing the use
points, or the trends computed from
of the collected data elements (called
such measurements that may indicate
measurements or metrics) to
the effectiveness of security
determine the effectiveness of the
countermeasures.
overall security program.

21
 lnfoSec Performance Management
Those that determine the
effectiveness of the
execution of InfoSec policy,
most commonly issue-
specific security policies.
Organizations use three
types of measurements:
Those that determine the
effectiveness and/or
efficiency of the delivery of Those that assess the impact
InfoSec services, whether of an incident or other
they be managerial services, security event on the
such as security training, or
organization or its mission.
technical services, such as
the installation of anti-virus
software.
22
 • Popular approach - NIST's SP 800-55, Rev. 1.
Building the • It is divided into two major activities:

Performance 1) Identification and definition of the current

InfoSec program
Measureme 2) Development and selection of specific
nt Program measurements to gauge the implementation,
effectiveness, efficiency, and impact of the
(a) security controls

23
Specifying lnfoSec Measurements (b)

One of the critical tasks in the measurement process is to assess and quantify
what will be measured.

While InfoSec planning and organizing activities may only require time
estimates, you must obtain more detailed measurements when assessing the
effort spent to complete production and project tasks.

This usually means some form of time reporting system, either a paper-based
or automated time accounting mechanism.

24
 a) Measurements Development Approach
• One of the priorities in building an InfoSec
process measurement program is
determining whether these measurements
Collecting will be macro- or micro-focus.
lnfoSec • Macro-focus measurements examine the
performance of the overall security program.
Measurements • Micro-focus measurements examine the
(c) performance of an individual control or
group of controls within the InfoSec
program.
• Some organizations may want to conduct a
limited assessment using both macro- and
micro-focus measurements.

25
 Collecting lnfoSec Measurements (c)

b) Measurement Prioritization and Selection

• it is important to ensure that individual metrics are prioritized in the same
manner as the processes that they measure.
• This can be achieved with a simple low, medium, or high priority ranking
system or a weighted scale approach, which would involve assigning values
to each measurement based on its importance in the context of the overall
InfoSec program and in the overall risk mitigation goals and criticality of the
systems.

26
 Collecting lnfoSec
Measurements (c)

c) Establishing Performance Targets

• Performance targets make it possible to define
success in the security program.
• For example, a goal of 100 percent employee
InfoSec training as an objective for the training
program validates the continued collection of
training measurements.
• A periodic report indicating the current status of
employee training represents progress toward the
goal.
27
 Collecting lnfoSec Measurements (c)

d) Measurements Development Template

• NIST recommends the documentation of
performance measurements in a standardized
format to ensure the repeatability of the
measurement development, customization,
collection, and reporting activities.
• One way to accomplish this would be to develop a
custom template that an organization could use to
document performance measurements that are to
be used. Instructions for the development and
format of such a template are provided in Table 9-
1. 28
Collecting lnfoSec
Measurements (c)
e) Candidate
Measurements

29
Benchmarking (3)

30
 1) Drawing from established security models and frameworks.
2) To look at the paths taken by organizations like the one whose plan
An you are developing:
organizations • which is called benchmarking (or external benchmarking)
usually generate • compare your organization's efforts to those of other organizations
a security you feel are similar in size, structure, or industry.
blueprint by:
• if the practices of the similar organization or industry standard
appear to offer better results, the organization may choose to adopt
all or portions of them.

31
Benchmarking objectives:

1) Benchmarking can help to determine which controls should be considered, but it

cannot determine how those controls should be implemented in your organization.
2) Benchmarking can also be used as an internal tool to compare current performance
against past performance and to look for trends of improvement or areas that need
additional work.
• This is commonly referred to as internal benchmarking (or baselining) to
differentiate internal and external comparisons.

32
In InfoSec, two categories of terms describing security practices are commonly used:

• standards of due care and due diligence and

• recommended practices or best security practices.

The very best recommended practices are nominally referred to as the gold standard

33
 Standards of Due Care/Due Diligence (a)
For legal reasons, certain organizations may be compelled to adopt a minimum level of
security.

Organizations that do so to establish a future legal defense may need to verify that they
have done what any prudent organization would do in similar circumstances.

Implementing controls at this minimum standard- and maintaining them- demonstrates

that an organization has performed due diligence.

Failure to do so, can expose an organization to legal liability if it can be shown that the
organization was negligent in its application of information protection.

This is especially important in organizations that maintain customer or client

information, including medical, legal, or other personal data.
34
Recommended Security
Practices (b)

• Security efforts that seek to provide a superior level of

performance in the protection of information are
called recommended practices.
• Whereas security efforts that are considered among
the best in the industry are termed best security
practices (BSPs).

35
Microsoft Security Best
Practices

https://learn.microsoft.com/en-
us/partner-center/customer-security-
best-practices

36
 Benchmarking and Best Practices Limitations (c)
Many organizations do not share
results with other organizations.
A successful attack is often
perceived as an organizational
failure and is kept secret, if
possible.
No two organizations are
identical.
Organizations that offer products
or services in the same market
may differ dramatically in size,
composition, management
philosophy, organizational
culture, technological
infrastructure, and planned
expenditures for security.
Recommended practices are a
moving target.
Security programs must keep
abreast of new threats as well as
the methods, techniques,
policies, guidelines, educational
and training approaches, and,
yes, technologies to combat
them.
37
 Baselining (d)

• A specific subset of benchmarking is baselining, also known as internal benchmarking, in

which the organization conducts an initial assessment of its own current performance
(known as a baseline).
• An example of a performance measurement incorporating a baseline might be the number
of external attacks per week that an organization experiences.
• In InfoSec, baseline measurements of security activities and events are used to provide a
basis for comparison of the organization's current security performance against future
performance.

38