Please enable JavaScript.
Coggle requires JavaScript to display documents.
CHAPTER 9: SECURITY MANAGEMENT PRACTICES - Coggle Diagram
CHAPTER 9: SECURITY MANAGEMENT PRACTICES
Security Employment Practices
Hiring
From an information security perspective, the hiring of employees is laden with potential security pitfalls
Job Descriptions
Integrating InfoSec into the hiring process begins with reviewing and updating job descriptions to include InfoSec responsibilities and screen for unwanted disclosures
Interviews
, information security should advise human resources to limit the information provided to the candidates on the access rights of the position
Background Checks
Common types include
Education and credential
Previous employment verification
Identity
References
Worker’s compensation history
Motor vehicle records
Drug history
Medical history
Credit history
Civil court history
Criminal court history
Contracts and Employment
Once a candidate has accepted a job offer, the employment contract becomes an important security instrument
Job candidates can be offered “employment contingent upon agreement,” whereby they are not offered a position unless they agree to the binding organizational policies
Security Expectations in the Performance Evaluation
To heighten information security awareness and change workplace behavior, organizations should incorporate information security components into employee performance evaluations
Information Security Performance Measurement
InfoSec Performance Management
InfoSec performance management is the process of designing, implementing, and managing the use of the collected data elements
Building the Performance Measurement Program
Even with strong management support, an information security measures program as part of a security performance management program must be able to demonstrate value to the organization
Specifying InfoSec Measurements
One of the critical tasks in the measurement process is to assess and quantify what will be measured
While InfoSec planning and organizing activities may only require time estimates, you must obtain more detailed measurements when assessing the effort spent to complete production tasks
Collecting InfoSec Measurements
Once the question of what to measure is answered, the how, when, where, and who questions of metrics collection must be addressed
Some thought must go into the processes used for data collection and record keeping
Measurements Development Approach
One of the priorities in building an information security measurement program is determining whether these measures will be macro-focus or micro-focus, or some combination thereof
Macro-focus measurements
Micro-focus measurements
Benchmarking
Organizations usually generate a security blueprint by drawing from established security models and frameworks
Using this method, which is called benchmarking. you compare your organization’s efforts to those of other organizations you feel are similar in size, structure, or industry
Standards of Due Care/Due Diligence
For legal reasons, certain organizations may be compelled to adopt a stipulated minimum level of security, as to establish a future legal defense they may need to verify that they have done what any prudent organization would do in similar circumstances; this is known as a standard of due care
Recommended Security Practices
Security efforts that seek to provide a superior level of performance in the protection of information are called recommended practices, whereas security efforts that are considered among the best in the industry are termed best security practices
Selecting Recommended Practices
Industries that are regulated by laws and standards and are subject to government or industry oversight are required to meet the regulatory or industry guidelines in their security practices