CISSP For Dummies

CISSP candidates must have a basic understanding of various employment policies and practices, as well as how these policies achieve information security objectives. You should also know the various information security roles and responsibilities within an organization.

 Cross-Reference   We also discuss various components of personnel security in Chapter 9.

Background checks and security clearances

Pre-and post-employment background checks can provide an employer with valuable information about an individual being considered for a job or position within an organization. Such checks can give an immediate indication of an individual’s integrity and can help screen out unqualified applicants.

Basic background checks should be conducted for all personnel with access to sensitive information or systems within an organization. A basic background check should include

• Reference checks: Personal, professional, and employment

• Verification of data in employment applications and resumes: Social Security numbers, education, professional/technical certifications, military records, and previous employment

• Other records: Court, local law enforcement, and motor vehicle records

Personnel who fill more sensitive positions should undergo a more extensive pre-employment screening and background check, possibly including

• Credit records

• Drug testing

• Special background investigation: FBI and INTERPOL records, field interviews with former associates, or a personal interview with a private investigator

Periodic post-employment screenings (such as credit records and drug testing) may also be necessary, particularly for personnel with access to financial data or personnel being considered for promotions to more sensitive or responsible positions.

Employment agreements

Various employment agreements should be signed when an individual joins an organization or is promoted to a more sensitive position within an organization. Typical employment agreements include non-compete/non-disclosure agreements and acceptable use policies.

Hiring and termination practices

Hiring and termination practices should be formalized within an organization to ensure fair and uniform treatment and to protect the organization and its information assets.

Standard hiring practices should include background checks and employment agreements (as we discuss in the earlier section “Background checks and security clearances”), as well as a formal indoctrination and orientation process. This process may include formal introductions to key organizational personnel, creating user accounts and assigning IT resources (PCs and notebook computers), assigning security badges and parking permits, and a general policy discussion with human resources personnel.

Formal termination procedures should be implemented to help protect the organization from potential lawsuits, property theft and destruction, unauthorized access, or workplace violence. Procedures should be developed for various scenarios including resignations, termination, layoffs, accident or death, immediate departures versus prior notification, and hostile situations. Termination procedures may include

• Surrendering keys, security badges, and parking permits

• Conducting an exit interview

• Security escort to collect one’s personal belongings and/or to leave the premises

• Returning company materials (notebook computers, mobile phones, PDAs)

• Changing door locks and system passwords

• Formal turnover of duties and responsibilities

• Removing network and system access and disabling user accounts

• Policies regarding retention of e-mail, personal files, and employment records

• Notification of customers, partners, vendors, and contractors, as appropriate

Job descriptions

Concise job descriptions that clearly identify an individual’s responsibility and authority, particularly on information security issues, help

• Reduce confusion and ambiguity

• Provide legal basis for an individual’s authority or actions

• Demonstrate negligence or dereliction in carrying out assigned duties

Security roles and responsibilities

The true axiom that information security is everyone’s responsibility is too often put into practice as Everyone is responsible, but no one is accountable. To avoid this pitfall, specific roles and responsibilities for information security should be defined in an organization’s security policy, individual job or position descriptions, and third-party contracts. These roles and responsibilities should apply to employees, consultants, contractors, interns, and vendors. And they should apply to every level of staff, from C-level executive to line employees. Several broad categories for information security roles and common responsibilities are discussed in the following sections.

Management

Senior-level management is often responsible for information security at several levels, including the role as an information owner, which we discuss in the next section. However, in this context, management has a responsibility to demonstrate a strong commitment to an organization’s information security program. This commitment can be achieved through the following actions:

• Corporate information security policy: This policy should include a statement of support from management and should also be signed by the CEO or COO.

• Leadership by example: A CEO who refuses to carry a mandatory identification badge or who bypasses system access controls sets a poor example.

• Compensation: Expect proper security behavior and reward employees accordingly.

 Remember   Management is always ultimately responsible for an organization’s overall information security and for any information security decisions that are made (or not made). Our role as information security professionals is to report security issues and to make appropriate information security recommendations to management.

Owner

An information owner is normally assigned at an executive or senior-management level within an organization, such as director or vice-president. An information owner doesn’t legally own the information that he or she is assigned; the information owner is ultimately responsible for the safeguarding of assigned information assets and may have fiduciary responsibility or be held personally liable for negligence in protecting these assets under the concept of due care.

 Cross-Reference   For more on due care, read Chapter 12.

Typical responsibilities of an information owner may include

• Determining information classification levels for assigned information assets

• Determining policy for access to the information

• Maintaining inventories and accounting for assigned information assets

• Periodically reviewing classification levels of assigned information assets for possible downgrading, destruction, or disposal

• Delegating day-to-day responsibility (but not accountability) and functions to a custodian

Custodian

An information custodian is the individual with day-to-day responsibility for protecting information assets. IT systems or network administrators often fill this role. Typical responsibilities may include

• Performing regular backups and restoring data when necessary

• Ensuring that directory and file permissions are properly implemented and provide sufficient protection

• Assigning new users to appropriate permission groups and revoking user privileges, when required

 Remember   The distinction between owners and custodians, particularly regarding their different responsibilities, is an important concept in information security management. The information owner is the individual that has ultimate responsibility for the security of the information, whereas the information custodian is the individual responsible for the day-to-day security administration.

Users

An end-user (or user) includes just about everyone within an organization. Users aren’t specifically designated. They can be broadly defined as anyone with authorized access to an organization’s internal information or information systems. Typical user responsibilities include

• Complying with all security requirements defined in organizational policies, standards, and procedures, applicable legislative or regulatory requirements, and contractual requirements (such as non-disclosure agreements and service-level agreements)

• Exercising due care in safeguarding organizational information and information assets

• Participating in information security training and awareness efforts

• Reporting any suspicious activity, security violations, security problems, or security concerns to appropriate personnel

Separation of duties and responsibilities

The concept of separation (or segregation) of duties and responsibilities ensures that no single individual has complete authority and control of a critical system or process. This practice promotes security in the following ways:

• Reduces opportunity for waste, fraud, or abuse

• Provides two-man control (or dual-control, two-person integrity)

• Reduces dependence on individuals

In smaller organizations, this practice can sometimes be difficult to implement because of limited personnel and resources.

 Cross-Reference   See the section “Avoiding single points of failure” earlier in this chapter.

Job rotations

Job rotations (or rotation of duties) are another effective security control with many benefits to an organization. Similar to the concept of separation of duties and responsibilities, job rotations involve regularly transferring key personnel into different positions or departments within an organization. Job rotations benefit an organization in the following ways:

• Reduce opportunity for waste, fraud, or abuse

• Reduce dependence, through cross-training opportunities, on individuals; also promotes professional growth

• Reduce monotony and/or fatigue for individuals

As with the practice of separation of duties, job rotations can be difficult to implement in smaller organizations.

 Tip   A side-benefit of job rotations is that persons are far less likely to commit fraudulent activities, for fear that they will be caught if they are unexpectedly rotated into another position.