Please enable JavaScript.
Coggle requires JavaScript to display documents.
CT 201 wk4 ch11 - Coggle Diagram
CT 201 wk4 ch11
review q
. For each major information security job title covered in the chapter, list and describe
-
- What factors influence an organization’s decisions to hire information security professionals?
- Prioritize the list of general attributes that organizations seek when hiring information security professionals. In other words, list the most important attributes first. Use the list you developed to answer the previous review question.
6.What are critical considerations when dismissing an employee? Do they change accord- ing to whether the departure is friendly or hostile, or according to which position the employee is leaving?
- How do security considerations for temporary or contract employees differ from those for regular full-time employees?
- What career paths do most experienced professionals take when moving into informa- tion security? Are other pathways available? If so, describe them.
- Why is it important to use specific and clearly defined job descriptions for hiring infor- mation security professionals?
- What functions does the CISO perform?
- What functions does the security manager perform?
- What functions does the security analyst perform?
- What rationale should an aspiring information security professional use in acquiring professional credentials?
- List and describe the credentials of the information security certifications mentioned in this chapter.
- Who should pay for the expenses of certification? Why?
- List and describe the standard personnel practices that are part of the information security function. What happens to these practices when they are integrated with infor- mation security concepts?
- Why shouldn’t an organization give a job candidate a tour of secure areas during an interview?
- List and describe the typical relationships that organizations have with temporary employees, contract employees, and consultants. What special security precautions must an organization consider for such workers, and why are they significant?
- What is separation of duties? How can it be used to improve an organization’s infor- mation security practices?
- What is job rotation, and what benefits does it offer an organization
CH Summary
Where to place the information security function within the organization is a key decision. The most popular options involve placing information security within IT or the physical security function. Organizations searching for a rational compromise should place the information security function where it can balance its need to enforce company policy with its need to deliver service to the entire organization.
■ The selection of information security personnel is based on several criteria, not all of which are within the control of the organization.
■ In most cases, organizations look for a technically qualified information security gen- eralist with a solid understanding of how an organization operates. The following attributes are also desirable:
■ An attitude that information security is usually a management problem, not an exclusively technical problem
■ Good people skills, communication skills, writing skills, and a tolerance for users
-
-
■ An understanding of the threats facing an organization, how they can become attacks, and how to protect the organization from information security attacks
■ A working knowledge of many common technologies and a general familiarity with most mainstream IT technologies
■ Many information security professionals enter the field through one of two career paths: via law enforcement or military personnel, or from other professions related to technical information systems. In recent years, college students have been able to take courses that prepare them to enter the information security workforce directly.
■ During the hiring process for an information security position, an organization should use standard job descriptions to increase the degree of professionalism among appli- cants and to make sure the position’s roles and responsibilities are consistent with those of similar positions in other organizations. Studies of information security positions have found that they can be classified into one of three areas: those that define, those that build, and those that administer.
-
■ When filling information security positions, many organizations indicate the level of proficiency required for the job by specifying that the candidate have recognizable certifications. Some of the more popular are:
■ The ðISCÞ2 family of certifications, including the Certified Information Systems Security Professional (CISSP), a number of CISSP specialization certifications, the Systems Security Certified Practitioner (SSCP), the Associate of ðISCÞ2, and several other specialized certifications
■ The ISACA family of certifications, including the Certified Information Security Manager (CISM), the Certified Information Systems Auditor (CISA), and several other specialized certifications
■ The Global Information Assurance Certification (GIAC) family of certifications, including the GIAC Information Security Professional and the GIAC Security Leadership Certification
-
■ The general management community of interest should integrate information security concepts into the organization’s employment policies and practices. Areas in which information security should be a consideration include:
■ Hiring, including job descriptions, interviews, and background checks ■ Employment contracts ■ New hire orientation ■ Performance evaluation
-
■ Organizations may need the special services of temporary employees, contract employees, consultants, and business partners, but these relationships should be care- fully managed to prevent information leaks or theft.
■ Separation of duties is a control used to reduce the chance of any person violating information security and breaching the confidentiality, integrity, or availability of information. According to the principle behind this control, any major task that involves sensitive information should require two people to complete.
exercises
- Search your library’s database and the Web for an article about people who violate their organization’s policy and are terminated. Did you find many? Why or why not?
- Go to the ðISCÞ2 Web site at www.isc2.org. Research the knowledge areas included in the tests for the CISSP and SSCP certifications. What areas must you study that are not included in this text?
- Using the Web, identify some certifications with an information security component that were not discussed in this chapter.
- Search the Web for at least five job postings for a security analyst. What qualifications do the listings have in common?
- Search the Web for three different employee hiring and termination policies. Review each and look carefully for inconsistencies. Do each of the policies have sections that address information security requirements? What clauses should a termination policy contain to prevent disclosure of an organization’s information? Create your own ver- sion of either a hiring policy or a termination policy.
OBJ
• Describe where and how the information security function should be positioned within organizations
• Explain the issues and concerns related to staffing the information security function • List and describe the credentials that information security professionals can earn to gain
recognition in the field • Discuss how an organization’s employment policies and practices can support the
information security effort • Identify the special security precautions that must be taken when using contract workers • Explain the need for the separation of duties • Describe the special requirements needed to ensure the privacy of personnel data