Security And Personnel

Contents:

Introduction The security function within an Organization’s Structure Staffing the security function

Qualification and Requirements

Entry into security profession

Information Security Positions

Chief information security officer

Security manager

Security technician

Internal security consultant

Introduction

Each organization should examine the options possible for staffing the information security function.

When implementing security in an organization, there are many human resources issues that must be addressed:

The entire organization must decide how to position and name the security function within an organization.

The information security community of interest must plan for proper staffing for the information security function.

The IT community of interest must understand the impact of information security

The general management community of interest must work with the information security professionals to integrate solid information security concepts

The Security Function within an organization’s structure

The security function can be placed within the:

IT function, as a peer of other functions such as networks, applications development, and the help deskPhysical security function, as a peer of physical security or protective services.Administrative services function, as a peer of human resources or purchasingInsurance and risk management functionLegal development

Staffing the security function

Selecting information security personnel is based on a number of criteria.

Some of these factors are within the control of the organization and others some are not.

Some of the services are Qualifications and requirements Entry into the security profession Information security positions

Qualifications and Requirements:

A number of factors influence an organization’s hiring decisions. Because information security has only recently emerged as a separate

discipline, the hiring decisions in this field are further complicated by a lack of understanding among organizations about what qualifications a potential information security hire should exhibit.

Currently in many organizations, information security teams lack established roles and responsibilities.

Establishing better hiring practices in an organization requires the following:

The general management community of interest should learn more about the skills and qualifications for both information security positions and

those IT positions that impact information security.

Upper management should learn more about the budgetary needs of the information security function and the positions within it. This will enable management to make sound fiscal decisions for both the information security function and the IT functions that carry out many of the information security initiatives.

The IT and general management communities should grant appropriate levels of influence and prestige to the information security function, and especially to the role of chief information security officer.

When hiring information security professionals, organizations frequently look for individuals who understand the following: How an organization operates at all levels That information security is usually a management problem and is

seldom an exclusively technical problem

How to work with people and collaborate with end users, and the importance of strong communications and writing skills

The role of policy in guiding security efforts, and the role of education and training in making employees and other authorized users part of the solution, rather than part of the problem

Most mainstream IT technologies (not necessarily as experts, but as generalists)

The terminology of IT and information security The threats facing an organization and how these threats can become

attacks How to protect an organization’s assets from information security attacks How business solutions (including technology-based solutions) can be

applied to solve specific information security problems

Entry into the Information Security Profession

Many information security professionals enter the field through one of two career paths:

ex-law enforcement and military personnel involved in national security and cyber-security tasks, who move from those

environments into business-oriented information security; and technical professionals—networking experts, programmers, database administrators, and systems administrators—who find themselves working on information security applications and processes more often than on traditional IT assignments.

In recent years, a third (perhaps in some sense more traditional) career path has developed: college students who select and tailor their degree programs to prepare for work in the field of information security.

Information Security Positions

The use of standard job descriptions can increase the degree of professionalism in the information security field as well as improve the consistency of roles and responsibilities among organizations.

Organizations anticipating a revision of these roles and responsibilities can consult Charles Cresson Wood’s book Information Security Roles and Responsibilities Made Easy, which offers a set of model job descriptions for information security positions.

The book also identifies the responsibilities and duties of the members of the IT staff whose work involves information security.

Position in information security

Chief Security Officer

Information Security

Consultant

Physical Security Manager

Information Security Manager

Physical Security Officer

Information Security Technician / Engineer

Information Security Administrator

Chief Information Security Officer (CISO or CSO)

This is typically the top information security officer in the organization. In many cases, the CISO is the major definer or architect of the

information security program. The CISO performs the following functions:

Manages the overall information security program for the organization Drafts or approves information security policies Works with the CIO on strategic plans, develops tactical plans, and works with security

managers on operational plans Develops information security budgets based on available funding Sets priorities for the purchase and implementation of information security projects and

technology Makes decisions or recommendations on the recruiting, hiring, and firing of security staff Acts as the spokesperson for the information security team

Security Manager

Security managers are accountable for the day-to-day operation of the information security program.

They accomplish objectives identified by the CISO and resolve issues identified by technicians.

Management of technology requires an understanding of the technology administered, but does not necessarily require proficiency in the technology’s configuration, operation, and fault resolution.

Security Technician

Security technicians are the technically qualified individuals tasked to configure firewalls, deploy IDPSs, implement security software, diagnose and troubleshoot problems, and coordinate with systems and network administrators to ensure that an organization’s security technology is properly implemented.

The position of security technician is often entry level, but to be hired in this role, candidates must possess some technical skills.

This often poses a dilemma for applicants as many seeking to enter a new field find it is difficult to get a job without experience—which they can only attain by getting a job.

From internet…

http://www.securitypersonnel.com/ Providing services for securing the business information.

• http://system.vccs.edu/its/standards/PersonnelSecurityStandard.htm

• Personnel Security StandardPurpose

This standard is intended to ensure security controls and related procedures are implemented to protect the privacy, security and integrity of VCCS information technology resources against unauthorized or improper use, and to prevent and detect attempts to compromise information technology resources for any employee who is separated, transferred, or promoted.

http://www.cpni.gov.uk/advice/Personnel-security1/

Cypher securityPersonnel securityPhysical security