Deck 11: Security and Personnel

The use of standard job descriptions can increase the degree of professionalism in the information security field.

A background check must always be conducted to determine the level of trust the business can place in a candidate for an information security position.

CompTIA offers a vendor-specific certification program called the Security+ certification.

In most cases, organizations look for a technically qualified information security generalist who has a solid understanding of how an organization operates.

The process of integrating information security perspectives into the hiring process begins with reviewing and updating all job descriptions.

The CISSP concentrations are available for CISSPs to demonstrate knowledge that is already a part of the CISSP CBK.

The advice "Know more than you say, and be more skillful than you let on" for information security professionals indicates that the actions taken to protect information should not interfere with users' actions.

In many organizations, information security teams lack established roles and responsibilities.

Organizations are not required by law to protect employee information that is sensitive or personal.

The position of security technician can be offered as an entry-level position.

The SSCP examination is much more rigorous than the CISSP examination.

The CISSP-ISSEP concentration focuses on the knowledge areas that are part of enterprise security management.

An organization should integrate security awareness education into a new hire's ongoing job orientation and make it a part of every employee's on-the-job security training.

To maintain a secure facility, all contract employees should be escorted from room to room, as well as into and out of the facility.

The information security function cannot be placed within protective services.

The security manager position is much more general than that of the CISO.

"Builders" in the field of information security provide day-to-day systems monitoring and use to support an organization's goals and objectives.

The general management community of interest must work with information security professionals to integrate solid information security concepts into the personnel management practices of the organization.

Existing information security-related certifications are typically well understood by those responsible for hiring in organizations.

The general management community of interest must plan for the proper staffing of the information security function. _________________________

Many hiring managers in information security prefer to recruit a security professional who already has proven HR skills and professional experience, since qualified candidates with information security experience are scarce. _________________________

GIAC stands for Global Information Architecture Certification. _________________________

ISSEP stands for Information Systems Security Experienced Professional. _________________________

Friendly departures include termination for cause, permanent downsizing, temporary lay-off, or some instances of quitting. _________________________

The International Society of Forensic Computer Examiners (ISFCE) offers two levels of certification: the Certified Computer Examiner (CCE) and the Master Certified Computer Examiner (MCCE). _________________________

ISSMP stands for Information Systems Security Monitoring Professional. _________________________

ISSAP stands for Information Systems Security Architecture Professional. _________________________

Upper management should learn more about the budgetary needs of the information security function and the positions within it. _________________________

The most common credential for a CISO-level position is the Security+ certification. _________________________

A mandatory furlough provides the organization with the ability to audit the work of an individual. _________________________

The CISA credential is geared toward experienced information security managers and others who may have similar management responsibilities. _________________________

ISACA touts the CISA certification as being appropriate for accounting, networking, and security professionals. _________________________

"Administrators" provide the policies, guidelines, and standards in the Schwartz, Erwin, Weafer, and Briney classification. _________________________

Security managers accomplish objectives identified by the CISO and resolve issues identified by technicians. _________________________

Though CISOs are business managers first and technologists second, they must be conversant in all areas of information security, including the technical, planning, and ____________________ areas.

The ____________________ acts as the spokesperson for the information security team.

It is important to gather employee ____________________ early about the information security program and respond to it quickly.

Because the goals and objectives of CIOs and CISOs tend to contradict each other, InformationWeek recommends: "The people who do and the people who watch shouldn't report to a ____________________ manager."

To assess the effect that changes will have on the organization's personnel management practices, the organization should conduct a ____________________feasibility study before the program is implemented.

Sometimes, contracted employees are self-employed or are employees of an organization hired for a specific, one-time purpose. These people are typically referred to as ____________________.

SANS developed a series of technical security certifications in 1999 that are known as the Global Information ____________________ Certification or GIAC family of certifications.

Job ____________________ can greatly increase the chance that an employee's misuse of the system or abuse of information will be detected by another employee.

When new employees are introduced into the organization's culture and workflow, they should receive an extensive information security briefing as part of their employee ____________________.

A(n) ____________________ agency provides specifically qualified individuals at the paid request of another company.

The ____________________ of (ISC)² program is geared toward those who want to take the CISSP or SSCP exam before obtaining the requisite experience for certification.

The CISSP certification requires both the successful completion of the examination and an ____________________ by a qualified third party, typically another similarly certified professional, the candidate's employer, or a licensed, certified, or commissioned professional.

Once a candidate has accepted a job offer, the employment ____________________ becomes an important security instrument.

ISACA offers the CGEIT as well as the CISA and ____________________ certifications.

What functions does the CISO perform?

The process of ensuring that no unnecessary access to data exists and that employees are able to perform only the minimum operations necessary on a set of data is referred to as the principle of ____________________.

Security ____________________ are accountable for the day-to-day operation of the information security program.

_____________________ departures include resignation, retirement, promotion, or relocation.

What tasks must be performed when an employee prepares to leave an organization?

Separation of ____________________ is used to reduce the chance of an individual violating information security and breaching the confidentiality, integrity, or availability of information.

Related to the concept of separation of duties is that of ____________________, the requirement that two individuals review and approve each other's work before the task is categorized as finished.

Describe the concept of separation of duties.

Certifications are designed to recognize ____________________ in their respective fields.