Please enable JavaScript.
Coggle requires JavaScript to display documents.
CHAPTER 8: SECURITY MANAGEMENT PRACTICES, SITI AISYAH SYAFIQAH BINTI YUSOF…
CHAPTER 8: SECURITY MANAGEMENT PRACTICES
Introduction to Security Practices
Organizations strive to deliver the most value with a given level of investment—this is known as the “value proposition”
The development and use of sound and repeatable InfoSec management practices brings
organizations closer to meeting this objective
One of the challenges seldom considered in organizations is the need for a close working
relationship between InfoSec, the HR department,
and every department or division that is engaged in personnel management—specifically: hiring, evaluating, and terminating employees
Executives and supervisory groups want assurance that organizations are working toward the value proposition and measuring the quality of management practices, either by comparing their
programs to those of other programs to those of other organizations or by measuring compliance
according to established standards
Benchmarking
Organizations usually generate a security blueprint by drawing from established security models and frameworks.
Another way to create such a blueprint is to look at the paths taken by organizations like the one whose plan you are developing.
Benchmarking compares your organization’s efforts to those of other organizations you feel are similar in size, structure, or industry.
Benchmarking can help to determine which controls should be considered, but it cannot determine how those controls should be implemented in your organization.
Security Employment Practices
Hiring
Job Descriptions
Integrating InfoSec into the hiring process begins with reviewing and updating job descriptions to include InfoSec responsibilities and screen for unwanted disclosures
Organizations that provide complete job descriptions when advertising open positions should omit the elements of the job description that describe access privileges or the type and sensitivity of information to which the position wouldhave access
Interviews
InfoSec should advise HR to limit the information provided to the candidates on the access rights of the position
When an interview includes a site visit, the tour should avoid secure and restricted sites, because the visitor could observe enough information about the operations or InfoSec functions to represent a potential threat to the organization
Security Expectations
To heighten InfoSec awareness and change workplace behavior, organizations should incorporate InfoSec components into employee performance evaluations.
Employees pay close attention to job performance evaluations, and including information security tasks in them will motivate employees to take more care when performing these tasks.
Termination Issues
In addition to performing these tasks, many organizations conduct an exit interview to remind the employee of any contractual obligations, such as nondisclosure agreements, and to obtain feedback on the employee’s tenure in the organization.
Two methods for handling employee out processing, depending on the employee’s reasons for leaving, are hostile and friendly departures
Personnel Security Practices
There are various ways of monitoring and controlling employees to minimize their opportunities to misuse information.
Separation of duties is used to make it difficult for an individual to violate information security and breach the confidentiality, integrity, or availability of information.
Two-man control requires that two individuals review and approve each other’s work before the task is considered complete.
Security of Personnel & Personal Data
Organizations are required by law to protect sensitive or personal employee information, including personally identifying facts such as employee addresses, phone numbers, Social Security numbers, medical conditions, and even names and addresses of family members.
This responsibility also extends to customers, patients, and anyone with whom the organization has business relationships.
This responsibility also extends to customers, patients, and anyone with whom the organization has business relationships.
Contracts & Employments
Once a candidate has accepted a job offer, the employment contract becomes an important security instrument
Job candidates can be offered “employment contingent upon agreement,” (they are not offered a position unless they agree to the binding organizational policies)
New employees should receive an extensive information extensive information
Organizations should conduct periodic security awareness and raining activities to keep security at the forefront of employees’ minds and minimize employee mistakes.
Security Considerations for Temporary Employees, Consultant & Other Workers
This responsibility also extends to customers, patients, and anyone with whom the organization has business relationships.
Relationships with individuals in this category should be carefully managed to prevent threats to information assets from materializing.
Information Security Performance Measurement
InfoSec performance management is the process of designing, implementing, and managing the use of the collected data elements (called measures or metrics) to determine the effectiveness of the overall security program.
Performance measurements (or measures) are data points or computed trends that may indicate the effectiveness of security countermeasures or controls—technical and managerial—as implemented in the organization.
Organizations use 3 types of measurements:
Those that determine the effectiveness of the execution of InfoSec policy, most commonly issue-specific security policies.
Those that determine the effectiveness and/or efficiency of the delivery of InfoSec services.
Those that assess the impact of an incident or other security event on the organization or its mission.
4 critical success factors of an InfoSec performance program:
Strong upper-level management support.
Practical InfoSec policies and procedures.
Quantifiable performance measurements.
Results-oriented measurement analysis.
SITI AISYAH SYAFIQAH BINTI YUSOF (2022787025)