Deck 11: Security and Personnel

In most cases, organizations look for a technically qualified information security generalist who has a solid understanding of how an organization operates.

To maintain a secure facility, all contract employees should be escorted from room to room, as well as into and out of the facility.

The process of integrating information security perspectives into the hiring process begins with reviewing and updating all job descriptions.

"Builders" in the field of information security provide day-to-day systems monitoring and use to support an organization's goals and objectives.

The CISSP-ISSEP concentration focuses on the knowledge areas that are part of enterprise security management.

The security manager position is much more general than that of the CISO.

The advice "Know more than you say, and be more skillful than you let on" for information security professionals indicates that the actions taken to protect information should not interfere with users' actions.

The general management community of interest must work with information security professionals to integrate solid information security concepts into the personnel management practices of the organization.

The use of standard job descriptions can increase the degree of professionalism in the information security field.

In many organizations, information security teams lack established roles and responsibilities.

The general management community of interest must plan for the proper staffing of the information security function. _________________________

The CISSP concentrations are available for CISSPs to demonstrate knowledge that is already a part of the CISSP CBK.

A background check must always be conducted to determine the level of trust the business can place in a candidate for an information security position.

CompTIA offers a vendor-specific certification program called the Security+ certification.

The position of security technician can be offered as an entry-level position.

The information security function cannot be placed within protective services.

Existing information security-related certifications are typically well understood by those responsible for hiring in organizations.

An organization should integrate security awareness education into a new hire's ongoing job orientation and make it a part of every employee's on-the-job security training.

The SSCP examination is much more rigorous than the CISSP examination.

"Administrators" provide the policies, guidelines, and standards in the Schwartz, Erwin, Weafer, and Briney classification. _________________________

Friendly departures include termination for cause, permanent downsizing, temporary lay-off, or some instances of quitting. _________________________

ISSEP stands for Information Systems Security Experienced Professional. _________________________

Upper management should learn more about the budgetary needs of the information security function and the positions within it. _________________________

ISSMP stands for Information Systems Security Monitoring Professional. _________________________

The International Society of Forensic Computer Examiners (ISFCE) offers two levels of certification: the Certified Computer Examiner (CCE) and the Master Certified Computer Examiner (MCCE). _________________________

Security managers accomplish objectives identified by the CISO and resolve issues identified by technicians. _________________________

The most common credential for a CISO-level position is the Security+ certification. _________________________

ISACA touts the CISA certification as being appropriate for accounting, networking, and security professionals._________________________

GIAC stands for Global Information Architecture Certification. _________________________

The CISA credential is geared toward experienced information security managers and others who may have similar management responsibilities._________________________

ISSAP stands for Information Systems Security Architecture Professional. _________________________

Many hiring managers in information security prefer to recruit a security professional who already has proven HR skills and professional experience, since qualified candidates with information security experience are scarce. _________________________

A mandatory furlough provides the organization with the ability to audit the work of an individual. _________________________

It is important to gather employee ____________________ early about the information security program and respond to it quickly.

Security ____________________ are accountable for the day-to-day operation of the information security program.

Though CISOs are business managers first and technologists second, they must be conversant in all areas of information security, including the technical, planning, and ____________________ areas.

The ____________________ acts as the spokesperson for the information security team.

Because the goals and objectives of CIOs and CISOs tend to contradict each other, InformationWeek recommends: "The people who do and the people who watch shouldn't report to a ____________________ manager."

To assess the effect that changes will have on the organization's personnel management practices, the organization should conduct a ____________________feasibility study before the program is implemented.

When new employees are introduced into the organization's culture and workflow, they should receive an extensive information security briefing as part of their employee ____________________.

Describe the concept of separation of duties.

The process of ensuring that no unnecessary access to data exists and that employees are able to perform only the minimum operations necessary on a set of data is referred to as the principle of ____________________.

SANS developed a series of technical security certifications in 1999 that are known as the Global Information ____________________ Certification or GIAC family of certifications.

Once a candidate has accepted a job offer, the employment ____________________ becomes an important security instrument.

Related to the concept of separation of duties is that of ____________________, the requirement that two individuals review and approve each other's work before the task is categorized as finished.

The CISSP certification requires both the successful of the examination and an ____________________ by a qualified third party, typically another similarly certified professional, the candidate's employer, or a licensed, certified, or commissioned professional.

The ____________________ of (ISC)2 program is geared toward those who want to take the CISSP or SSCP exam before obtaining the requisite experience for certification.

What functions does the CISO perform

What tasks must be performed when an employee prepares to leave an organization

ISACA offers the CGEIT as well as the CISA and ____________________ certifications.

Job ____________________ can greatly increase the chance that an employee's misuse of the system or abuse of information will be detected by another employee.

Sometimes, contracted employees are self-employed or are employees of an organization hired for a specific, one-time purpose. These people are typically referred to as ____________________.

Separation of ____________________ is used to reduce the chance of an individual violating information security and breaching the confidentiality, integrity, or availability of information.

Certifications are designed to recognize  ____________________ in their respective fields.

A(n) ____________________ agency provides specifically qualified individuals at the paid request of another company.

_____________________ departures include resignation, retirement, promotion, or relocation.