Professional Documents
Culture Documents
Information Security - Ch11
Information Security - Ch11
Email: tahoanght91@gmail.com
Mobile Phone: 0988652979
Principles of Information Security
Sixth Edition
Chapter 11
Security and
Personnel
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Learning Objectives (1 of 2)
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Learning Objectives (2 of 2)
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Introduction
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Positioning and Staffing the Security Function
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Staffing the Information Security
Function (1 of 6)
• Selecting personnel is based on several criteria,
including some not within the control of the organization
(supply and demand).
• Many professionals enter security market by gaining
skills, experience, and credentials.
• At present, the information security industry is in a
period of high demand.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Staffing the Information Security Function
(2 of 6)
• Qualifications and requirements
– Establishing better hiring practices requires the following:
▪ General management should learn more about skills and
qualifications for positions
▪ Upper management should learn about the budgetary
needs of information security function.
▪ IT and general management should grant appropriate levels
of influence and prestige to information security
– Organizations typically look for a technically qualified
information security generalist
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Staffing the Information Security
Function (3 of 6)
• Qualifications and requirements
– Organizations look for candidates who understand:
▪ How an organization operates at all levels
▪ Information security is usually a management problem, not
a technical problem
▪ Importance of strong communications and writing skills
▪ The role of policy in guiding security efforts
▪ Most mainstream IT technologies
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Staffing the Information Security
Function (4 of 6)
▪ The terminology of IT and information security
▪ Threats facing an organization and how they can become
attacks
▪ How to protect an organization’s assets from information
security attacks
▪ How business solutions can be applied to solve specific
information security problems
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Staffing the Information Security
Function (5 of 6)
• Entry into the information security profession
– Traditionally, many information security professionals
entered the field through one of two career paths:
▪ Law enforcement or military
▪ Technical IT professional, working on security applications
and processes
– Today, students select and tailor degree programs to
prepare for work in information security
– Organizations can foster greater professionalism by
matching qualified candidates to clearly defined roles in
information security
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Staffing the Information Security
Function (6 of 6)
• Information security positions
– Use of standard job descriptions can increase the
degree of professionalism and improve the consistency
of roles and responsibilities between organizations
– Charles Cresson Wood’s book Information Security
Roles and Responsibilities Made Easy offers a set of
model job descriptions
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Figure 11-4 Positions in information
security
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Information Security Positions (1 of 4)
• Chief information security officer (CISO)
– Top information security officer; frequently reports to
chief information officer (CIO)
– Manages the overall information security program
– Drafts or approves information security policies
– Works with the CIO on strategic plans
– Develops information security budgets
– Sets priorities for purchase/implementation of
information security projects and technology
– Makes recruiting, hiring and firing decisions or
recommendations
– Acts as spokesperson for information security team
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Information Security Positions (2 of 4)
– Typical qualifications: accreditation, graduate degree,
experience
• Chief security officer (CSO)
– CISO’s position may be combined with physical security
responsibilities
– Knowledgeable in both IS requirements and “guards,
gates, and guns” approach to security
• Security manager
– Accountable for day-to-day operation of information
security program
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Information Security Positions (3 of 4)
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Information Security Positions (4 of 4)
– Typical qualifications:
▪ Varied; organizations prefer expert, certified, proficient
technician
▪ Some experience with a particular hardware and software
package
▪ Actual experience in using a technology usually required
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Credentials for Information Security
Professionals
• Many organizations seek industry-recognized
certifications.
• Most existing certifications are relatively new and not
fully understood by hiring organizations.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Certifications (1 of 4)
• (ISC)2 Certifications
– Certified Information Systems Security Professional
(CISSP)
▪ Concentrations:
o Information Systems Security Architecture Professional
(ISSAP)
o Information Systems Security Engineering Professional
(ISSEP)
o Information Systems Security Management Professional
(ISSMP)
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Certifications (2 of 4)
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Certifications (3 of 4)
• ISACA Certifications
– Certified Information Systems Manager(CISM)
– Certified Information Security Auditor (CISA)
– Certified in the Governance of Enterprise IT (CGEIT)
– Certified in Risk and Information Systems Control
(CRISC)
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Certifications (4 of 4)
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Certification Costs
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Figure 11-5 Preparing for security
certification
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Employment Policies and Practices
• An organization should make information security a
documented part of every employee’s job description.
• Management community of interest should integrate
solid concepts for information security into the
organization’s employment policies and practices.
• From information security perspective, hiring of
employees is a responsibility laden with potential
security pitfalls.
• The CISO and information security manager should
work with Human Resources (HR) department to
incorporate information security into guidelines used for
hiring all personnel.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Job Descriptions
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Interviews
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Figure 11-6 Hiring issues
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Background Checks (2 of 2)
• May include:
– identity check
– education and credential check
– previous employment verification
– references check
– worker’s compensation history
– motor vehicle records
– drug history
– credit history and more
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Employment Contracts
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
New Hire Orientation
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
On-the-Job Security Training
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Evaluating Performance
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Termination (1 of 4)
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Termination (2 of 4)
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Termination (3 of 4)
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Termination (4 of 4)
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Temporary Employees
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Contract Employees
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Consultants
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Business Partners
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Internal Control Strategies (1 of 4)
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Internal Control Strategies (2 of 4)
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Internal Control Strategies (3 of 4)
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Figure 11-7 Internal control strategies
(4 of 4)
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Summary
• Positioning the information security function within
organizations
• Issues and concerns about staffing information security
• Professional credentials of information security
professionals
• Organizational employment policies and practices
related to successful information security
• Special security precautions for nonemployees
• Separation of duties
• Special requirements needed for the privacy of
personnel data
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Questions