Home | | Information Security | Security and Personnel

Chapter: Information Security : Physical Design

Security and Personnel

When implementing information security, there are many human resource issues that must be addressed: Positioning and naming, Staffing





When implementing information security, there are many human resource issues that must be addressed


Positioning and naming




Evaluating impact of information security across every role in IT function


Integrating solid information security concepts into personnel practices


Employees often feel threatened when organization is creating or enhancing overall information security program


Positioning and Staffing the Security Function


The security function can be placed within:


IT function


Physical security function


Administrative services function


Insurance and risk management function


Legal department


Organizations balance needs of enforcement with needs for education, training, awareness, and customer service



Staffing The Information Security Function


Selecting personnel is based on many criteria, including supply and demand


Many professionals enter security market by gaining skills, experience, and credentials


At present, information security industry is in period of high demand


Qualifications and Requirements

 The following factors must be addressed:


Management should learn more about position requirements and qualifications


Upper management should learn about budgetary needs of information security function


IT and management must learn more about level of influence and prestige the information security function should be given to be effective


Organizations typically look for technically qualified information security generalist


Organizations look for information security professionals who understand:


How an organization operates at all levels


Information security usually a management problem, not a technical problem


Strong communications and writing skills


The role of policy in guiding security efforts


Organizations look for (continued):


Most mainstream IT technologies


The terminology of IT and information security


Threats facing an organization and how they can become attacks


How to protect organization’s assets from information security attacks


How business solutions can be applied to solve specific information security problems


Entry into the Information Security Profession

 Many information security professionals enter the field through one of two career paths:


Law enforcement and military


Technical, working on security applications and processes


Today, students select and tailor degree programs to prepare for work in information security


Organizations can foster greater professionalism by matching candidates to clearly defined expectations and position descriptions


Information Security Positions

 Use of standard job descriptions can increase degree of professionalism and improve the consistency of roles and responsibilities between organizations


Charles Cresson Wood’s book Information Security Roles and Responsibilities Made Easy offers set of model job descriptions


Chief Information Security Officer (CISO or CSO)


-        Top   information security       position;     frequently   reports        to


Chief Information Officer


Manages the overall information security program


Drafts or approves information security policies


Works with the CIO on strategic plans


Chief Information Security Officer (CISO or CSO) (continued)


Develops information security budgets


Sets priorities for information security projects and technology


Makes recruiting, hiring, and firing decisions or recommendations


Acts as spokesperson for information security team


Typical qualifications: accreditation; graduate degree; experience


Security Manager


Accountable for day-to-day operation of information security program


Accomplish objectives as identified by CISO


Typical qualifications: not uncommon to have accreditation; ability to draft middle and lower level policies, standards and guidelines; budgeting, project management, and hiring and firing; manage technicians


Employment Policies and Practices


Management community of interest should integrate solid information security concepts into organization’s employment policies and practices


Organization should make information security a documented part of every employee’s job description


From information security perspective, hiring of employees is a responsibility laden with potential security pitfalls


CISO and information security manager should provide human resources with information security input to personnel hiring guidelines




When employee leaves organization, there are a number of security-related issues


Key is protection of all information to which employee had access


Once cleared, the former employee should be escorted from premises


Many organizations use an exit interview to remind former employee of contractual obligations and to obtain feedback


Hostile departures include termination for cause, permanent downsizing, temporary lay-off, or some instances of quitting



Before employee is aware, all logical and keycard access is terminated


Employee collects all belongings and surrenders all keys, keycards, and other company property


Employee is then escorted out of the building


Friendly departures include resignation, retirement, promotion, or relocation


Employee may be notified well in advance of departure date


More difficult for security to maintain positive control over employee’s access and information usage


Employee access usually continues with new expiration date


Employees come and go at will, collect their own belongings, and leave on their own


Offices and information used by the employee must be inventoried; files stored or destroyed; and property returned to organizational stores


Possible that employees foresee departure well in advance and begin collecting organizational information for their future employment


Only by scrutinizing systems logs after employee has departed can organization determine if there has been a breach of policy or a loss of information


If information has been copied or stolen, action should be declared an incident and the appropriate policy followed

Study Material, Lecturing Notes, Assignment, Reference, Wiki description explanation, brief detail
Information Security : Physical Design : Security and Personnel |

Privacy Policy, Terms and Conditions, DMCA Policy and Compliant

Copyright © 2018-2023 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.