BCS2014

Cyber Security

Lecture 6:
Safety in Digital World
Learning Objectives
• List the elements of key information security management practices
• Discuss information security constraints on general hiring processes
• Explain the role of information security in employee terminations
• Describe the security practices used to regulate employee behavior
and prevent misuse of information
• Discuss the Cybersecurity metrics, advantages and challenges
• Describe the key components of , and suitable strategies for the
implementation of, a security performance measurement program
• Discuss the benchmarking and baselining
2
Introduction to Security Practices
• Value proposition – organizations strive to deliver the most value with
a given level of investment
• The development and use of sound and repeatable information
security (InfoSec) management practices can bring the organizations
closer to meeting this objective
• Challenge that seldom be considered in organization:
The need for a close working relationship between (1) information security,
(2) the HR department, and (3) every department that is engaged in
personnel management, specifically in hiring, evaluating and terminating
employees

3
Security Employment Practices
• The general management community of interest should integrate
solid InfoSec concepts across all the organization’s employment
policies and practices. This covers:
• Hiring
• Contracts and employment
• Security expectations in the performance evaluation
• Termination issues
• Personnel security practice
• Security of personnel and personal data
• Security considerations for temporary employees, consultants and other
works
4
 Security Employment Practices –
Hiring
• The hiring of employees is
laden with potential security
pitfalls
• So, InfoSec considerations
should become part of the
hiring process

Some of the hiring concerns 

Source: Whitman, M. E., & Mattford, H. J. (2019). Management of Information Security (6th 5
ed.). Cengage Learning. ISBN: 9781337671545
Security Employment Practices –
Hiring
• InfoSec into the hiring process (job description)
Review and update job descriptions to include InfoSec responsibilities
Screen for unwanted disclosures. Example: advertising open positions  omit
description about access privileges or type of sensitive information to which
the position would have access

• Job description should be focused on the skills and abilities needed by

the candidate; avoid describing the organization’s
systems and security
Details of access or responsibilities the new hire will have

6
Security Employment Practices –
Hiring
Interviews
• If a position within the InfoSec department opens, the security
manager should educate HR personnel on the (1) various
certifications, (2) the specific experience each credential requires and
(3) the qualifications of a good candidate.
• If a job interview includes a site visit, the tour should avoid secure and
restricted sites.
• The candidate is not yet bound by organizational policy or employment
contract

7
Security Employment Practices –
Hiring
Background checks
• Should be conducted before the organization extends an offer to any
candidate
• Can discover past criminal behavior or other information that
suggests a potential for future misconduct
• Background checks differ in their levels of details and depth:
• Military background check V.S InfoSec positions background check

8
Security Employment Practices –
Contracts and Employment
• Once a candidate has accepted a job offer, the employment contract
becomes an important security instrument
• Job candidates can be offered “employment contingent upon
agreement”
• They are not formally hired into a position unless they agree to the binding
organizational policies
• Once the candidate signs the security agreements, the remainder of the
employment contract may be executed

9
Security Employment Practices –
Contracts and Employment
New Hire Orientation
• New employees should receive an extensive InfoSec briefing
• Should cover policies, security procedures, access levels and training
on the secure use of information systems
• Ready to report to their position: they should be thoroughly briefed
on the security component of their particular jobs, the rights and
responsibilities

10
Security Employment Practices –
Contracts and Employment
On-the-job security training:
• The periodic Security Education Training and Awareness (SETA)
activities should be conducted
• Keep security at the forefront of employee’s minds
• Minimize employee mistakes

• Formal external and informal internal seminar

• Increase the level of security awareness for all employees, especially for
InfoSec employees

11
Security Employment Practices –
Contracts and Employment

12
Security Employment Practices –
Security Expectations in the Performance
Evaluation
• Organizations should incorporate InfoSec components into employee
performance evaluations
• Why?
• To heighten InfoSec awareness and change workplace behavior.
• Example of review comment related to security accountabilities in the
assessment areas and evaluation criteria:
• Alice is meticulous in her management of classified documents …
• Bob worked tirelessly to safeguard the newly developed intellectual property
his team was responsible for …

13
 Security Employment Practices –
Termination Issues
• When an employee leaves an organization, a number of security-related concerns arise.
• The following tasks must be performed:
• Disable his/her access to the organization’s systems
• He/She must return all organizational property, including any issued removeable media, technology,
and data.
• His/Her hard drives must be secured.
• File cabinet locks must be changed.
• Office door locks must be changed.
• His/Her keycard access must be revoked.
• His/Her personal effects must be removed from the premises.
• He/She should be escorted from the premises once the organizational properties have been turned
over

14
Security Employment Practices –
Termination Issues
• An exit interview should be conducted:
• To remind the employee of any contractual obligations (e.g.
nondisclosure agreements)
• To obtain feedback on the employee’s tenure in the organization.
• To remind failure to comply the contractual obligations could lead
to civil or criminal action.

15
Security Employment Practices –
Personnel Security Practices
• There are various ways to monitor and control employees for minizine
their opportunities to misuse information.
• Separation of duties (also known as segregation of duties) make it
difficult for an individual to violet InfoSec and breach the
confidentiality, integrity or availability of information.
• Example: bank issues a cashier’s cash (prepare the check; sign the check)
• Separation of duties can be applied to critical information and
information system.
• Example: update a software; apply the tested update to the production
system

16
Security Employment Practices –
Personal Security Practices
• Collusion: A cooperation between two or more individuals or groups to
commit illegal or unethical actions.
• Two people will be able to collaborate successfully to misuse the system are
much lower than one person doing so.
• Two-person control (a.k.a. Dual control): At least two individuals to work
together to complete.
• Other controls used to prevent personnel from misusing information
assets are job rotation and task rotation.
• Ensure that no one employee is performing actions that cannot be
knowledgeably reviewed by another employee.
Security Employment Practices –
Personal Security Practices

18
Security Employment Practices –
Personal Security Practices
• Implement a mandatory vacation policy.
• A requirement that all employees take time off from
work which gives the organization a chance to perform
a detailed review of everyone’s work and work area.

• To limit access to it through need to know and

least privilege.
Security Employment Practices –
Security of Personnel and Personal Data
• Organizations are required by law to protect sensitive or personal employee
information:
• Personal identifiable information (address, phone numbers)
• Medical conditions
• Other protected health information
• Even names and addresses of family members
• This responsibility also extends to customers, patients and anyone with whom
the organization has business relationships
• InfoSec procedures should ensure that this data receives as least the same level
of protection as the other important data in the organization

20
 Security Employment Practices –
Security Considerations for Temporary Employees,
Consultants and other Workers
• Relationship with people in this category should be carefully managed to
prevent threats to information assets
• Temporary workers
Are brought in by organizations to fill position temporarily or to supplement the
existing workforce.
Because they are not employed, they may not be subject to the contractual
obligations or general policies that govern other employees.
 If a temp violates a policy or causes a problem, the strongest action that the host organization
can take is to terminate the relationship with the individual and request that he be censured.
Temporary workers’ access to information should be limited to what is necessary
to perform their duties.

21
Security Employment Practices –
Security of Personnel and Personal Data
• Contract employees
Called contractors.
Are hired to perform specific services for the organization.
Examples:
 Groundskeepers, maintenance services staff, electricians, other repair people.
 Professionals: technical consultants, IT specialists, pen testing experts etc.
Professional contractors may require access to all or specific facilities, they
should not be allowed to wander freely in and out of building.
In a secure facility, all service contractors are escorted from room to room,
and into and out of the facility.

22
Security Employment Practices –
Security of Personnel and Personal Data
• Consultants
Organizations sometimes hire self-employed or agent contractors ( called as
consultants) for specific tasks or projects.
Consultants have their own security requirements and contractual
obligations; their contract should specify their rights of access to information
and facilities.
These professionals (consultants) may request permission to include the
business relationship on their resumes or promotional materials. But the
hiring organization is not obligated to grant this permission and can explicitly
deny it.
Apply the principle of least privilege when working with consultants.

23
Security Employment Practices –
Security of Personnel and Personal Data
• Business partners
Businesses sometimes engage in strategic alliances with other organizations
to exchange information, integrate systems or enjoy some other mutual
advantage

24
Security Employment Practices –
Security of Personnel and Personal Data
• Business partners
A prior business agreement must specify the levels of exposure that both
organizations are willing to tolerate
Nondisclosure agreements are an important part of any such collaborative
effort
The level of security of both system (both organizations) must be examined
before any physical integration takes places
Risk: system connections means that vulnerability on one system becomes
vulnerability for all those linked systems

25
Security Metrics
• As defined by the National Institute of Standards and Technology
(NIST), metrics are tools that are designed to facilitate decision-
making and improve performance and accountability through
collection, analysis, and reporting of relevant performance-related
data.
• Without good metrics, analysts cannot answer many security related
questions. Some examples of such questions include:
• “Is our network more secure today than it was before?”
• “Have the changes of network configurations improved our security posture?”

26
Security Metrics
• The ultimate aim of security metrics is to ensure business continuity
(or mission success) and minimize business damage by preventing or
minimizing the potential impact of cyber incidents.
• To achieve this goal, organizations need to take into consideration all
information security dimensions, and provide stakeholders detailed
information about their network security management and risk
treatment processes.

27
Cybersecurity Metric
• A cybersecurity metric contains the number of reported incidents, any
fluctuations in these numbers as well as the identification time and
cost of an attack. Thus, it provides stats that can be used to ensure
the security of the current application.
• Organizations get the overall view of threats in terms of time, severity,
and number. It is important today when this data keeps fluctuating.
This way the organizations can maximize protection from threats in
the future.

28
Cybersecurity Metric
A Cybersecurity metric assists the organization in the following
ways:
• It facilitates decision-making and improves overall performance and
accountability.
• It helps in setting quantifiable measures based on objective data in the
metric.
• It helps in making corrections in an efficient way.
• It brings together all the factors like finance, regulation, and organization
to measure security.
• It maintains the log of every individual system that has been tested over
the years.
29
Cybersecurity Metric
Here is a list of some important cybersecurity metrics that portray the
current threat scenario really well.
• A number of systems have vulnerabilities: A very important cybersecurity metric is to
know where your assets lag. This helps in determining risks along with the
improvements that must be taken. This way the vulnerabilities can be worked upon
before anyone exploits them.
• Mean detection and response time: The sooner a cybersecurity breach is detected
and responded to, the lesser will be the loss. It is important to have systems that
reduce the mean detection and response time.
• Data volume over a corporate network: Employees having unrestricted access to the
company’s internet may turn out into a disaster. If they use the company’s resources
to download anything, it might lead to the invasion of malware.

30
Cont.
• Review of frequency of third party access: Third parties might have to access the network of a
company to complete any project or activity. Thus, monitoring their access is important to
identify any suspicious activity that might be undergoing at their end.
• Partners with effective cybersecurity: A company may have full control over its cybersecurity
policies but you never know if the other business partners are as conscious as you. Thus, the
higher the number of partners with strict cybersecurity policies, the lesser the chances of
cyberattacks.

31
Advantages of using Metric:
• For learning: To figure out different information pertaining to a
system, we have to start by asking questions. These questions will lead
us to answers and then in turn to information.
• For Decision Making: When we use a metric to gain information
about a system, we can extend its use even further by gaining insight
into previous decisions.
• For Implementation of Plans: After analyzing the loopholes in the
system and making decisions on how to go about rectifying them, it is
time to take action.

32
Challenges with a Cybersecurity Metric:
• It tracks the activity but does not say anything about outcomes. This is
a major limitation because the outcome adds more value.
• The metric provides a simple dashboard having the security status of
a company. However, in the process, it reveals key information about
how prepared the organization is.
• There exists a huge communication gap between the security function
and the people that they report to. Thus, the metric becomes
incomprehensible for management.

33
Information Security Performance Measurement
– InfoSec Performance Management
• InfoSec performance management is the process of designing,
implementing, and managing the use of the collected data elements
(call measurements or metrics) to determine the effectiveness of the
overall security program.
• Performance measurements (or performance measures) are data
points or the trends computed from such measurements that may
indicate the effectiveness of security countermeasures or controls
(technical or managerial) implemented in the organization.
• Those control approaches that are not effective should be modified or
replaced
• Those are effective should be supported and continued
Information Security Performance Measurement
– InfoSec Performance Management
• Why need security performance measurement?
• Supports managerial decision
• Increasing accountability
• Improving the effectiveness of the InfoSec function
• Help organizations to align InfoSec performance and objectives with the organization’s
overall mission.
• Organizations use 3 types of measurements:
• Those that determine the effectiveness of the execution of InfoSec policy
• Those that determine the effectiveness of the delivery of InfoSec services (including
managerial and technical services, such as security training, installation of anti-virus
software)
• Those that assess the impact of an incident or other security event on the organization
Information Security Performance Measurement
– InfoSec Performance Management
• InfoSec metrics enable organizations to measure the level of effort
required to meet the stated objectives of the InfoSec program.
• The term metrics and measurements are used interchangeably.
• Metrics traditionally described any statistical analysis technique on
performance or a derivation of a set of performance measurements.
• Managing the user of InfoSec performance measurements requires
commitment from the InfoSec management team.
• It consumes resources (people’s time, hardware cycles, special software)
• The result of the effort must be periodically and consistently reviewed
Before begin the process…
• Of designing, collecting and using measurements, CISO should be
prepared to answer the following questions:
• Why should these measurements be collected?
• What specific measurements will be collected?
• How will these measurements be collected?
• When will these measurements be collected?
• Who will collect these measurements?
• Where (at what point in the function’s process) will these measurements be
collected?
 Information Security Performance Measurement -
building the performance measurement program
• The InfoSec
measurement
development process
can be divided into 2
major activities 

Source: Whitman, M. E., & Mattford, H. J. (2019). Management of Information Security (6th 38
ed.). Cengage Learning. ISBN: 9781337671545
Information Security Performance Measurement -
Building the performance measurement program
• Phase 1: identifies relevant stakeholders and their interests in
InfoSec measurement.
• Primary stakeholder: those with key InfoSec responsibilities or data
ownership
• Secondary stakeholder: may not be primarily responsible for InfoSec
but have relevant tasks in some aspect of their jobs, such as human
resources personnel.
• Phase 2: identify and document the InfoSec performance goals
and objectives that would security control implementation for
the InfoSec program of a specific information system.
Information Security Performance Measurement -
Building the performance measurement program

• Phase 3: focuses on organization-specific InfoSec practices.

• Details of how security controls should be implemented are usually
specified in organization-specific policies and procedures.

• Phase 4: Review the existing measurements and data

repositories
• Applicable information is extracted and used to identify appropriate
implementation evidence to support measurement development and
data collection.
Information Security Performance Measurement -
Building the performance measurement program
• Phase 5, 6 and 7
• Developing measurements that track process implementation,
effectiveness and mission impact.

Source: Whitman, M. E., & Mattford, H. J. (2019). Management of Information Security (6th
ed.). Cengage Learning. ISBN: 9781337671545
Information Security Performance Measurement -
Specifying InfoSec Measurements
• One of the critical tasks in the measurement process is to assess and
quantify what will be measured
• Must obtain more detailed measurements when assessing the effort
spent to complete production and project tasks.
• Measurements collected from production statistics depend greatly on
the number of systems and the number of users of the system
• Collecting performance measurements about project activities- link
the outcome of each project, in term of loss control or risk reduction,
to the resources consumed
Information Security Performance Measurement -
Collecting InfoSec Measurements
• Designing the collection process requires thoughtful consideration of the
intent of the measurement along with a thorough knowledge of how
production services are delivered

• Measurement development approach:

• Macro-focus: examine the performance of the overall security program.
• Micro-focus: examine the performance of an individual control or group of
controls within the InfoSec program.
Information Security Performance Measurement -
Collecting InfoSec Measurements
• Measurement prioritization and selection:
• Assigning values to each measurement based on its importance in overall InfoSec program and in
overall risk mitigation goals and criticality of the systems.
• Low-, medium- or high-priority ranking system
• Weighted scale approach
• Literally, hundreds of measurements could be used; only those associated with appropriate-level
priority activities should be incorporated

• Establishing Performance Targets:

• Performance targets make it possible to define success in the security program.
• Many InfoSec performance measurement targets are represented by a 100 percent target goal. (e.g.,
a goal of 100 percent employee InfoSec training)

• Measurement Development Template:

• Develop a template that an organization could use to document performance measurement
Information Security Performance Measurement
- Implementing InfoSec Performance Measurements
• Once InfoSec performance measurements developed, it must be
implemented and integrated into the ongoing InfoSec management
operations
• Performance measurement is an ongoing and continuous
improvement operation
• The collection of all measurement data should be part of standard
operating procedure across the organization
Information Security Performance Measurement
- Reporting InfoSec Performance Measurements
• In most cases, simply listing the performance measurements collected
does not adequately convey their meaning
• E.g: a line chart showing the number of malicious code attacks occurring per
day
• May provide more info  the number of new malicious code variants on the
Internet in that time period (take precaution)
• How to do reporting? - present correlated metrics
• use pie, line, scatter or bar charts?
• Which colours denote which kinds of results

46
Information Security Performance Measurement
- Reporting InfoSec Performance Measurements
• Must consider to whom the results of the performance measurement
program should be disseminated?
• How they should be delivered?
• Usually, these types of reports are presented in meetings with key
executive peers
• It is seldom advisable to broadcast complex metrics-based reports to
large groups, unless the key points are well established and
embedded in a more complete context, such as a press release

47
 Information Security Performance Measurement
- Reporting InfoSec Performance Measurements
• Many organizations choose to
implement a consolidated
summary of key performance
measurements using a
dashboard of security
indicators

Source: Whitman, M. E., & Mattford, H. J. (2019). Management of Information Security (6th 48
ed.). Cengage Learning. ISBN: 9781337671545
Benchmarking
• Benchmarking (external benchmarking) is an attempt to improve
information security practices by comparing an organization’s efforts
against practices of a similar organization or an industry-developed
standard.
• with other organizations similar in size, structure or industry.
• Internal benchmarking (baselining) is a tool used to compare current
performance against past performance and to look for trends of
improvement or areas that need additional work.
• Two categories of terms describing security practices are commonly
used:
• Standards of due care & due diligence
• Recommended practices (gold standard)/best security practices
 Benchmarking
Standard of due care/ due diligence
• For legal reasons, certain organizations may be compelled to adopt a stipulated minimum level of security.
• Standard of due care- the legal standard that requires an organization and its employees to act as a “reasonable
and prudent” individual or organization would under similar circumstances.
• Due diligence- the organization has implemented a formal process to ensure continued compliance with the
standards of due care.
• Failure to establish and maintain standards of due care and due diligence can expose an organization to legal
liability.

Recommended Security Practices

• Recommended practices- security efforts that seek to provide a superior level of performance in the protection of
information.
• Best security practices (BSPs)- security efforts that are considered among the best in the industry.
• These practices balance the need for information access with the need for adequate protection while
demonstrating fiscal responsibility.
Benchmarking
Selecting Recommended Practices
• Industries that are regulated by laws and standards and are subject to
government or industry oversight are required to meet the regulatory or
industry guidelines in their security practices.
• Government and industry guidelines can serve as excellent sources of
information about what is required to control InfoSec risks.
Benchmarking
Limitations/barriers to Benchmarking and Recommended Practices
• Many organizations do not share results with other organizations. Valuable
lessons are not recorded, disseminated and evaluated.
• No two organizations are identical (differ in size, composition, management
philosophy, organizational culture, technological infrastructure, and planned
expenditures for security).
• Recommended practices are moving target. Knowing what happened few
years ago does not necessarily tell you what to do next, preparing for the
past threats does not protect you from what lies ahead.
ISO 27001 Certification
• Those doing business internationally, or those just seeking to influence potential
customers with their level of security, could seek ISO 27000 Certification.

https://egs.eccouncil.org/what-do-you-know-about-iso-27001-malaysia/
Reference:
• Whitman, M. E., & Mattford, H. J. (2019). Management of Information
Security (6th ed.). Cengage Learning.
• Chapter 9: Security Management Practices