Deck 11: Security Maintenance and the Management of Digital Forensics

Using your local telephone directory, locate a service that offers background checks. Select one at random and call to determine the costs of conducting such checks. How much should an organization spend on conducting these checks if it interviews dozens of potential employees?

A service that offers background checks is by US search.
The cost of conducting such checks is $50 for an employee. If an organizations interviews dozens of potential employees and conducts checks on all it will be quite costly for the firm. A better practice is to conduct the check for the employees who have cleared the selection process and have been recruited for the job.

List and describe the types of nonemployee workers often used by organizations. What special security considerations apply to such workers, and why are they significant?

The nonemployee workers often used by the organisation are:
Temporary Workers : Organizations sometimes employ some persons to fill positions temporarily or supplement the existing workforce. These persons are known as temporary workers or temps. They mainly provide security, and administrative support, but can be appointed at any position including executives.
Contract Employees : To perform some specific services, organization hires contractors or contract employees. They are generally hired by a third-party organization. These employees mainly are electrician, mechanics, maintenance service staff, groundskeeper, and other repair staff. These can also be attorneys, technical consultants, and IT specialists.
Security concerns that apply to such workers and their significance
Because of the duties assigned to temps or contractor, they are exposed to the wide range of information. They gain access to virtually all areas and they are not appointed by the organization for which they are working. They may not be subject to contractual obligations or general policies of the employer. Hence, in this situation the only action which can be taken by the host organisation is to terminate the service of temps or to terminate the contract as the case may be. To avoid such situation, the following security measures must be taken
• Temps' access to information should be limited to what is necessary to perform their duties.
• The organisation should attempt to have temp sign nondisclosure agreements and fair use policies.
• It should be ensured the employees who are supervising the temps restrict their access to information. All employees, including temp, should follow good security practices, especially, clean desk policies and securing classified data.
• All the services contractor are escorted from room to room, and into and out of the facility.
• Someone must verify that when the contractor report for maintenance or repair service, it must be scheduled or requested.
• Direct oversight is a necessity to avoid the physical access of building by attackers.
• The security agreement or contract should contain the security regulations like 24 to 48 hours' notice for maintenance visit.

What attributes do organizations seek in a candidate when hiring InfoSec professionals? Prioritize this list of attributes and justify your ranking.

Following attributes are seen by the organisation while hiring informational security professional:
1. Skill set of the candidate.
2. Experience level of the candidate in similar job profile.
3. Technical abilities of the candidate.
4. Good communication ability
The skill of the employees and communication ability are the most important attributes for the job of information security professional. Further the technical skills of the employees are addresses.
The reason being skills and communication skills are important for efficient functioning. If the person lacks these things he cannot perform the duties assigned to him.

What is separation of duties? How can this method be used to improve an organization's InfoSec practices?

Using the descriptions given in this chapter, write a job description for Iris's new position, which is described in the following case scenario. What qualifications and responsibilities should be associated with this position?

What is least privilege? Why is implementing least privilege important?

What are the critical actions that management must consider taking when dismissing an employee? Do these issues change based on whether the departure is friendly or hostile?

How do the security considerations for temporary or contract workers differ from those for regular employees?

Which two career paths are often used as entrees into the information security discipline? Are there other paths? If so, describe them.

Why is it important to have a body of standard job descriptions for hiring InfoSec professionals?

What functions does the CISO perform, and what are the key qualifications and requirements for the position?

If you were Iris, how would reply to Gloria's question?

What functions does the security manager perform, and what are the key qualifications and requirements for the position?

Using the Internet, find at least five job postings for security administrators. What qualifications do the listings have in common?

What functions does the security technician perform, and what are the key qualifications and requirements for the position?

When an organization undertakes an InfoSec-driven review of job descriptions, which job descriptions must be reviewed? Which IT jobs not directly associated with information security should be reviewed?

What functions does the internal security consultant perform, and what are the key qualifications and requirements for the position?

What, if anything, is wrong with the human resources focus depicted here? Examine the relationship between certifications and experience. Do certifications alone identify the job candidates with the most appropriate expertise and work experience?

What is the rationale for acquiring professional credentials?

Go to the (ISC) 2 Web site (www.isc2.org). Research the body of knowledge requirements for the CISSP and the SSCP. Which required areas are not covered in this text?

List and describe the certification credentials available to InfoSec professionals.

List and describe the criteria for selecting InfoSec personnel.

In your opinion, who should pay for the expenses of certification? Under what circumstances would your answer be different? Why?

Using the Internet, search for three different employee hiring and termination policies. Review each and look carefully for inconsistencies. Does each have a section addressing the requirements for the security of information? What clauses should a termination policy contain to prevent disclosure of the organization's information? Create your own variant of either a hiring or a termination policy.

List and describe the standard personnel practices that are part of the InfoSec function. What happens to these practices when they are integrated with InfoSec concepts?

What are some of the factors that influence an organization's hiring decisions?

Why shouldn't you show a job candidate secure areas during interviews?