Register now to access 7 million high quality study materials (What's Course Hero?) Course Hero is the premier provider of high quality online educational resources. With millions of study documents, online tutors, digital flashcards and free courseware, Course Hero is helping students learn more efficiently and effectively. Whether you're interested in exploring new subjects or mastering key topics for your next exam, Course Hero has the tools you need to achieve your goals.
31 Pages
13PersonnelSecurity
Course: CENT 305, Fall 2009School: University of Hawaii -...
Rating:
Word Count: 1816
Document Preview
and Security Personnel Principles of Information Security Chapter 11 Topic Objectives Discuss: Security functions and positions Credentials Employment policies and practices Security issues related to nonemployees Separation of duties Special requirements for the privacy of personnel data 2 Security Function Within an Organization's Structure The security function can be placed within the: IT function Physical...
Unformatted Document Excerpt
Coursehero >> Hawaii >> University of Hawaii - Hilo >> CENT 305Course Hero has millions of student submitted documents similar to the one
below including study guides, practice problems, reference materials, practice exams, textbook help and tutor support.
Course Hero has millions of student submitted documents similar to the one
below including study guides, practice problems, reference materials, practice exams, textbook help and tutor support.
and Security Personnel
Principles of Information Security Chapter 11
Topic Objectives
Discuss:
Security functions and positions Credentials Employment policies and practices Security issues related to nonemployees Separation of duties Special requirements for the privacy of personnel data
2
Security Function Within an Organization's Structure
The security function can be placed within the: IT function Physical security function Administrative services function Insurance and risk management function Legal department Challenge: to design a structure that balances the competing needs of the communities of interest Goal: balance needs of enforcement with needs for education, training, awareness, and customer service
3
Qualifications and Requirements
Organizations typically look for a technically qualified information security generalist It is important to balance technical skills with general security knowledge Many information security professionals enter the field through one of two career paths: ex-law enforcement and military personnel technical professionals working on security applications and processes Today, students are selecting and tailoring degree programs to prepare for work in security
4
Figure 11-2
5
Chief Information Security Officer (CISO)
The top information security position in the organization, Usually not an executive position Frequently reports to the Chief Information Officer The CISO performs the following functions: Manages the overall InfoSec program Drafts or approves information security policies Works with CIO on strategic plans, develops tactical plans, and works with security managers on operational plans Develops InfoSec budgets based on funding Sets priorities for InfoSec projects & technology Makes decisions in recruiting, hiring, and firing of security staff Spokesperson for the security team Qualifications and position requirements
Often a CISSP May have a graduate degree Experience as a security manager
6
Security Manager (ISSM/ISSO)
Accountable for the day-to-day operation of the information security program Accomplishes objectives as identified by the CISO Qualifications and position requirements:
May have CISSP certification Traditionally, managers earned the CISSP while technical professionals earned the Global Information Assurance Certification (GIAC) Able to draft middle- and lower-level policies as well as standards and guidelines Must have experience in budgeting, project management, and hiring and firing Must also be able to manage technicians, both in the assignment of tasks and the monitoring of activities
7
Security Technician
Technically qualified individuals tasked to configure security hardware and software Tend to be specialized
focus on one major security technology and further specializing in one software or hardware solution
Qualifications and position requirements: Organizations prefer expert, certified, proficient technicians Job descriptions cover some level of experience with a particular hardware and software package Familiarity with a technology may get an interview
Experience in using the technology is usually required to get the job
8
Internal Security Consultant
Typically an expert in some aspect of information security May use involve a formal security services company
May find a qualified individual consultant
Must be highly proficient in the managerial aspects of security Information security consultants usually enter the field after working as experts in the discipline and often have experience as a security manager or CISO
9
Credentials of Information Security Professionals
Many organizations seek recognizable certifications Most existing certifications are relatively new Certifications: CISSP and SSCP Global Information Assurance Certification (GIAC) Security Certified Professional T.I.C.S.A. and T.I.C.S.E. Security+ Certified Information Systems Auditor Certified Information Systems Forensics Investigator
10
Cost of Being Certified
Certifications cost money
better certifications can be quite expensive cost for training can also be significant
Certification exams require preparation
Intended to reflect knowledge and experience in the field Even experienced professionals need to prepare
Training sourses
trade press books formal training for CISSP, etc.
Exam preparation
Review the exam criteria, purpose and requirements Ensure that the time and energy spent pursuing the certification are well spent
11
Employment Policies and Practices
Job Descriptions
Review and update all job descriptions to include securityrelated requirements
Hiring Practices
Interviews Avoid revealing access privileges to prospective employees when advertising positions Use caution when showing a candidate around the facility
Use background checks to investigate candidate history
12
Figure 11-4
13
Background Checks
A background check is an investigation into a candidate's past There are regulations that govern such investigations Background checks differ in the level of detail and depth with which the candidate is examined:
Identity checks Education and credential checks Previous employment verification References checks Worker's Compensation history Motor vehicle records Drug history Credit history Civil court history Criminal court history
14
Fair Credit Reporting Act
Federal regulations exist in the use of personal information in employment practices, including the Fair Credit Reporting Act (FCRA) Background reports contain information on a job candidate's credit history, employment history, and other personal data FCRA prohibits employers from obtaining these reports unless the candidate is informed
15
Employment Contracts
An important security instrument Employees may be required to agree to security requirements in writing: If existing employees refuse to sign these contracts, the security personnel are placed in a difficult situation
For new employees employment may be contingent upon agreement with these requirements
The employee is not offered the position unless he/she agrees to the binding organizational policies
16
New Hire Orientation
New employees should receive an extensive information security briefing on all major policies, procedures, and requirements for information security
The levels of authorized access are outlined, and training provided on the secure use of information systems By the time employees are ready to report to their positions, they should be thoroughly briefed, and ready to perform their duties Security securely
17
On-the-Job Training
Periodic security awareness training Required as part of every new employees's ongoing job orientation Required as part of every employee's ongoing security responsibilities Goal: Keep security at the forefront of employees' minds and minimizing employee mistakes Formal external and informal internal seminars also increase the level of security awareness for all employees, especially security employees
18
Performance Evaluation
Should incorporate information security components
Goal: increase information security awareness and change workplace behavior Specify expected level of performance.
19
Termination
Goal: protection of all information to which the employee had access When an employee leaves the organization, several tasks must be performed:
Access to the organization's systems disabled Removable media returned Hard drives secured File cabinet locks changed Office door lock changed Keycard access revoked Personal effects removed from the organization's premises
Once cleared, departing employees should be escorted from the premises Many organizations also use an exit interview
Determine motivation for leaving
20
Hostile Departure
Hostile departure (nonvoluntary) - termination, downsizing, lay off, or quitting: Terminate all logical and keycard access before the employee is notified Escort employee into supervisor's office, as soon as the employee reports for work Upon receiving notice of termination, escort employee to the work area to collect personal belongings Ask employee to surrender all keys, keycards, and other company property Then escort the former employee out of the building
21
Friendly Departure
Friendly departure (voluntary) for retirement, promotion, or relocation: Employee may give notice well in advance of the actual departure date. More difficult to maintain positive control over the employee's access and information usage Employee access is usually allowed to continue with a new expiration date Employees come and go at will and collect their own belongings, and leave on their own Employees are asked to drop off all organizational property "on their way out the door"
22
Termination
In all circumstances,
the offices and information used by the employee must be inventoried, their files stored or destroyed, and all property returned to organizational stores
Employees may foresee departure well in advance
begin collecting organizational information or anything that could be valuable in their future employment
Necessary to determine whether there has been a breach of policy or a loss of information:
Review system logs thoroughly after the employee has departed, and Sort out authorized actions from system misuse or information theft
If information is illegally copied or stolen, the action should be declared an incident and the appropriate policy followed
23
Security Considerations For Nonemployees
Individuals who are not subject to rigorous screening, contractual obligations, and eventual secured termination often have access to sensitive organizational information Temporary employees Contract employees Consultants Business Partners Relationships with individuals in this category should be carefully managed to prevent a possible information leak or theft
24
Temporary Employees
Hired to serve in a temporary position or to supplement the existing workforce Not employed permanently by the host organization Often not subject to the contractual obligations or general policies If these individuals breach a policy or cause a problem options are limited From a security standpoint, access to information for these individuals should be limited to that necessary to perform their duties Temp's supervisor must restrict the information to which they have access
25
Contract Employees
Typically hired to perform specific services for the organization Contract may exist with...
Textbooks related to the document above:
Find millions of documents on Course Hero - Study Guides, Lecture Notes, Reference Materials, Practice Exams and more.
Course Hero has millions of course specific materials providing students with the best way to expand
their education.
Below is a small sample set of documents:
Below is a small sample set of documents:
University of Hawaii - Hilo - CENT - 305
CENT 305Scope:FINAL EXAM REVIEW QUESTIONSChapters 5, 8-12 in the textbook, Labs 10, Reports 5, HW 3-4OVERVIEW OF LABSLab 10 Encryption Tools 1. What is a public key server? 2. What is the name of the public key server we used for the email pu
University of Hawaii - Hilo - CENT - 305
CENT 305Scope:FINAL EXAM REVIEW QUESTIONSChapters 5, 8-12 in the textbook, Labs 10, Reports 5, HW 3-4OVERVIEW OF LABSLab 10 Encryption Tools 1. What is a public key server? 2. What is the name of the public key server we used for the email pu
Pittsburgh - AEI - 576
TOWARDS OPTIMUM AVAILABILITY OF PUBLIC SECTOR INFORMATIONDutch Ministry of the Interior and Kingdom relations1The Hague, April 26, 2000 Lower Chamber, session year 1999-2000, 26 387,nr 72CONTENTSI. INTRODUCTION AND SUMMARY I.1 Introduction
Pittsburgh - AEI - 4957
Pittsburgh - AEI - 3468
Pittsburgh - AEI - 1220
*:*:*:*:COMMISSION OF THE EUROPEAN COMMUNITIESBrussels , 11. 03. 1998 COM(l998) 143 finalCOMMUNICATION FROM THE COMMISSION!NTRODUCTION . ;.","'."'".1ADAPTING THE REGULATORY FRAMEWORK TO MARKET CHANGES .The ground rules: simplification
Pittsburgh - AEI - 2821
Pittsburgh - AEI - 1012
Bulletinof the European CommunitiesCover title: Attainment of the Economic and Monetary UnionSupplement 5/73Communication from the Commissionto the Councilon the progress achievedin the first stageof economic and monetary union, on the
Pittsburgh - AEI - 6352
Pittsburgh - AEI - 3475
Vassar - CS - 240
CS240 Fall 2008Assignment #4Due Tuesday October 28, beginning of class 1. Design context-free grammars generating the following languages over the alphabet {a, b}. a. {w | w contains exactly two b's}.SAbAbA AaA|b. { w | w contains twice as man
Pittsburgh - AEI - 7757
Vassar - CS - 240
CS240 Fall 2008Assignment #5Solution1. Here is an ambiguous CFG: A aA | bA | Aa | (a) Describe informally the language of this grammar. Allstringsofa'sandb'saregenerated.Infact,thethirdproduction,AAa,isnot necessary. (b) Give an example of a te
Pittsburgh - AEI - 8026
The EU's Trade Policy in the Doha Development Agenda An Interim Assessment on Rules NegotiationsChiang-feng LIN Associate Professor, Department of International Trade, Tamkang University, Taipei, Taiwan. 151 Ying-Chuan Rd., Tamsui, Taiwan 251 E-ma
Vassar - CS - 240
CS240 Fall 2008Assignment #6Solution 1. Construct a Turing Machine that will accept the following language over {a,b}* : {w | |w| is even}.(q0,a) = (q1,B,R) (q0,b) = (q1,B,R) (q0,B) = (q2,B,R) (q1,a) = (q0,B,R) (q1,b) = (q0,B,R) with F = {q2}2
Pittsburgh - AEI - 1181
'* *, *'* *COMMISSION OF THE EUROPEAN COMMUNITIESBrussels , 08. 05. 1996 COM(96) 192 final(;ommerClal(;OmmUmcatIons In the Internal MarketGreen paper from the Commission.Contents Executive summary Introduction Part I. Commercial communicati
Pittsburgh - AEI - 1334
'*'*'*'* '*'*COMMISSION OF THE EUROPEAN COMMUNITIESCSE (95) 607December 12 , 1995Study on alternative strategies for the development of relations in the field of agriculture and the associatedbetween thecountries with a view to future acc
University of Hawaii - Hilo - CENT - 305
Information Systems SecurityCourse IntroductionContact InformationSally Dunan Bldg 13 Rm 107 / 844-2352MW TR F: 09:30-10:00 AM, 4:00-4:30 PM 11:30-12:00, 3:00-3:30 PM 09:30-10:00 AM, 12:00-12:30 PMemail: sdunan@hcc.hawaii.edu Course web site:
University of Hawaii - Hilo - CENT - 305
Information Systems SecurityLinux IntroductionSUSE Linux Enterprise Server 10 SUSE Linux Enterprise Desktop 10Similar to: Graphical environments similar to Windows/MAC Command line environment similar to Unix/Solaris Operating System Open source
University of Hawaii - Hilo - CENT - 305
Information Systems SecurityLinux Introduction Supplemental NotesCommand Line Interfaces Virtual Terminals CTL-ALT-F# Consoles 1-6 are command line interfaces Console 7 is the graphical interface Each console is independent of the others Te
University of Hawaii - Hilo - CENT - 305
CENT 305 INFO SHEETVI INTRODUCTIONVI EDITOR COMMANDSTo explore a short tutorial on using vim, enter: vimtutor on the command line.The following commands put VI into INPUT mode i Insert text at cursor a Insert text to right of cursor o open lin
University of Hawaii - Hilo - CENT - 305
Introduction to Information SecurityPrinciples of Information Security Chapter 1Chapter Overview Define the term "information security" Define key terms and explain critical concepts of information security. Identify and describe critical
University of Hawaii - Hilo - CENT - 305
DNS Domain Name ServiceReferences: Practical Guide to Red Hat Linux, Ch 24 http:/www.tcpipguide.com/free/t_DNSResolutionConceptsan http:/www.sans.org/rr/whitepapers/dns/1069.php1Domain Name System Overview Maps domain names to IP addresses
University of Hawaii - Hilo - CENT - 305
The Need for SecurityPrinciples of Information Security Chapter 2Chapter Objectives Explain the business need for security. Describe the responsibility of an organization'sgeneral management and IT management for a succcessful information sec
University of Hawaii - Hilo - CENT - 305
DNS Domain Name ServiceReferences: Practical Guide to Red Hat Linux, Ch 24 http:/www.tcpipguide.com/free/t_DNSResolutionConceptsan http:/www.sans.org/rr/whitepapers/dns/1069.php1Domain Name System Overview Maps domain names to IP addresses
University of Hawaii - Hilo - CENT - 305
Risk Management (Risk Assessment)Principles of Information Security Chapter 4 Part 1References1.NIST Risk Management Guide for Information Technology Systemshttp:/csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf#search= http:/csrc.nis
University of Hawaii - Hilo - CENT - 305
Risk Management (Controlling Risk)Principles of Information Security Chapter 4 Part 2References NIST Risk Management Guide for Information TechnologySystemshttp:/csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf#search=% http:/csrc.nis
University of Hawaii - Hilo - CENT - 305
Intrusion Detection Access Control & Other Security ToolsPrinciples of Information Security Chapter 7 Part 1References1. NIST Intrusion Detection Systemshttp:/csrc.nist.gov/publications/nistpubs/800-31/sp800-31.pd2Topic Objectives Upon co
University of Hawaii - Hilo - CENT - 305
Firewalls & VPNsPrinciples of Information Security Chapter 6 Part 1References Circuit-level Gateways vs Application Gateways http:/www.pcstats.com/articleview.cfm?articleid=145 Introduction to Network Firewallshttp:/www.more.net/technical/
University of Hawaii - Hilo - CENT - 305
Firewalls & VPNsPrinciples of Information Security Chapter 6 Part 2References Firewall Rule Base Best Practiceshttp:/www.jpsdomain.org/infosec/rulebasebp.html 12 Tips on Building Firewalls http:/www.oreillynet.com/lpt/a/2131 VPN HOWTO
University of Hawaii - Hilo - CENT - 305
CryptographyPrinciples of Information Security Chapter 8 Part 1References Message Digest 5 (MD5) Hash Algorithm http:/en.wikipedia.org/wiki/MD5 MD5 Algorithm (RFC)http:/www.faqs.org/rfcs/rfc1321.html FIPS 180-1 Secure Hash Standard http: