SECURITY AND PERSONNEL
Introduction
When
implementing information security, there are many human resource issues that
must be addressed
Positioning
and naming
Staffing
Evaluating
impact of information security across every role in IT function
Integrating
solid information security concepts into personnel practices
Employees
often feel threatened when organization is creating or enhancing overall
information security program
Positioning and Staffing the Security Function
The
security function can be placed within:
IT
function
Physical
security function
Administrative
services function
Insurance
and risk management function
Legal
department
Organizations
balance needs of enforcement with needs for education, training, awareness, and
customer service
Staffing The Information Security Function
Selecting
personnel is based on many criteria, including supply and demand
Many
professionals enter security market by gaining skills, experience, and
credentials
At
present, information security industry is in period of high demand
Qualifications and Requirements
Management
should learn more about position requirements and qualifications
Upper
management should learn about budgetary needs of information security function
IT and
management must learn more about level of influence and prestige the
information security function should be given to be effective
Organizations
typically look for technically qualified information security generalist
Organizations
look for information security professionals who understand:
How an organization operates at all levels
Information security usually a management problem,
not a technical problem
Strong communications and writing skills
The role of policy in guiding security efforts
Organizations look for (continued):
Most mainstream IT technologies
The terminology of IT and information security
Threats facing an organization and how they can
become attacks
How to protect organization’s assets from
information security attacks
How business solutions can be applied to solve
specific information security problems
Entry into the Information Security Profession
Law enforcement and military
Technical, working on security applications and
processes
Today, students select and tailor degree programs to prepare for work in
information security
Organizations can foster greater professionalism by matching candidates
to clearly defined expectations and position descriptions
Information Security Positions
Charles
Cresson Wood’s book Information Security Roles and Responsibilities Made Easy
offers set of model job descriptions
Chief
Information Security Officer (CISO or CSO)
- Top information security position; frequently reports to
Chief
Information Officer
Manages
the overall information security program
Drafts or
approves information security policies
Works
with the CIO on strategic plans
Chief
Information Security Officer (CISO or CSO) (continued)
Develops
information security budgets
Sets
priorities for information security projects and technology
Makes
recruiting, hiring, and firing decisions or recommendations
Acts as
spokesperson for information security team
Typical
qualifications: accreditation; graduate degree; experience
Security
Manager
Accountable
for day-to-day operation of information security program
Accomplish
objectives as identified by CISO
Typical
qualifications: not uncommon to have accreditation; ability to draft middle and
lower level policies, standards and guidelines; budgeting, project management,
and hiring and firing; manage technicians
Employment Policies and Practices
Management community of interest should
integrate solid information security concepts into organization’s employment
policies and practices
Organization should make information
security a documented part of every employee’s job description
From information security perspective,
hiring of employees is a responsibility laden with potential security pitfalls
CISO and information security manager should
provide human resources with information security input to personnel hiring
guidelines
Termination
When employee leaves organization, there are
a number of security-related issues
Key is protection of all information to
which employee had access
Once cleared, the former employee should be
escorted from premises
Many organizations use an exit interview to
remind former employee of contractual obligations and to obtain feedback
Hostile departures include termination for
cause, permanent downsizing, temporary lay-off, or some instances of quitting
Before employee is aware, all logical and
keycard access is terminated
Employee collects all belongings and
surrenders all keys, keycards, and other company property
Employee is then escorted out of the
building
Friendly departures include resignation,
retirement, promotion, or relocation
Employee may be notified well in advance of
departure date
More difficult for security to maintain
positive control over employee’s access and information usage
Employee access usually continues with new
expiration date
Employees come and go at will, collect their
own belongings, and leave on their own
Offices and information used by the employee
must be inventoried; files stored or destroyed; and property returned to
organizational stores
Possible that employees foresee departure
well in advance and begin collecting organizational information for their
future employment
Only by scrutinizing systems logs after
employee has departed can organization determine if there has been a breach of
policy or a loss of information
If information has been copied or stolen,
action should be declared an incident and the appropriate policy followed
Related Topics
Privacy Policy, Terms and Conditions, DMCA Policy and Compliant
Copyright © 2018-2023 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.