daily pastebin goal
17%
SHARE
TWEET

Untitled

xdxdxd123 May 31st, 2017 1,341 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  2. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  3. 9
  4. ‡ Remote Computing Security
  5. Key Terms
  6. telecommuting A work arrangement in which employees work from an off-site location and
  7. connect to an organization’s equipment electronically. Also known as telework.
  8. telework See telecommuting.
  9. virtual organization A group of people brought together for a specific task, usually from
  10. different organizations, divisions, or departments.
  11. Remote site computing, which is becoming increasingly popular, involves a wide variety of
  12. computing sites outside the organization’s main facility and includes all forms of telecom-
  13. muting. Telecommuting (or telework) involves off-site computing that uses Internet con-
  14. nections, dial-up connections, connections over leased point-to-point links between offices,
  15. and other mechanisms.
  16. Telecommuting from users’ homes deserves special attention. One of the appeals of telecom-
  17. muting is that employees can avoid physical commuting and have more time to focus on their
  18. work. But, as more people become telecommuters, the risk to information traveling via their
  19. often unsecured connections is substantial. The problem is that not enough organizations
  20. provide secure connections to their office networks, and even fewer provide secure systems if
  21. the employee’s home computer is compromised. To secure the entire network, the organiza-
  22. tion must dedicate security resources to protecting these home connections. Although the
  23. installation of a virtual private network (VPN) may go a long way toward protecting the
  24. data in transmission, telecommuters frequently store office data on their home systems, in
  25. home filing cabinets, and on off-site media. To ensure a secure process, the computers that
  26. telecommuters use must be made more secure than the organization’s systems, because they
  27. are outside the security perimeter. An attacker who breaks into someone’s home would prob-
  28. ably find a much lower level of security than at an office. Most office systems require users to
  29. log in, but the telecommuter’s home computer is probably a personal machine. Thus, it has a
  30. much less secure operating system or may not require a password. Telecommuters must use a
  31. securable device with a client operating system that can be configured to require password
  32. authentication, such as Windows 7/8, a current-generation Mac, or a properly configured
  33. Linux distribution. They must store all loose data in locking filing cabinets and loose media
  34. in locking fire safes. They must handle data at home more carefully than they would at the
  35. office, because the general level of security for the average home is less than that of a com-
  36. mercial building.
  37. The same principles apply to workers using portable computing devices on the road. Employ-
  38. ees who use tablets, smartphones, and notebook computers in hotel rooms should presume
  39. that their unencrypted transmissions are being monitored, and that any unsecured notebook
  40. computer can be stolen. The off-site worker using leased facilities does not know who else is
  41. attached to the network and who might be listening to his or her data conversations. VPNs
  42. are a must in all off-site to on-site communications, and the use of associated advanced
  43. authentication systems is strongly recommended.
  44. Although it is possible to secure remote sites, organizations cannot assume that employees
  45. will invest their own funds for security. Many organizations barely tolerate telecommuting
  46. Securing Mobile and Portable Systems 497
  47. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  48. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  49. for a number of reasons, foremost among them that such employees generally require two
  50. sets of computing equipment, one for the office and one for the home. This extra expense is
  51. difficult to justify, especially when the employee is the only one gaining the benefit from tele-
  52. commuting. In rare cases in which allowing employees or consultants to telecommute is the
  53. only way for them to gain extremely valuable skills, the organization is usually willing to do
  54. what is necessary to secure its systems. Only when additional research into telecommuting
  55. clearly displays a bottom-line advantage do organizations begin to invest sufficient resources
  56. into securing telecommuting equipment.
  57. However, some organizations do support telecommuting, and they typically fall into one
  58. of three groups. The first is the mature and fiscally sound organization with a sufficient
  59. budget to support telecommuting and thus enhance its standing with employees and its
  60. own image. In recent years, the option to telecommute has become more important in
  61. organizational rankings developed by various magazines. Some organizations seek to
  62. improve employee work conditions and improve their position in best-workplace rank-
  63. ings by adding telecommuting as an option for employees. The second group consists of
  64. new high-technology companies with large numbers of geographically diverse employees
  65. who telecommute almost exclusively. These companies use technology extensively and
  66. are determined to make it the cornerstone of their organizations. The third group over-
  67. laps with the second, and is called a virtual organization. A virtual organization is a
  68. group of people from different organizations who form a virtual company, either in
  69. leased facilities or through 100-percent telecommuting arrangements. When the job is
  70. done, the organization is either redirected or dissolved. These organizations rely almost
  71. exclusively on remote computing and telecommuting, but they are rare and therefore are
  72. not well documented or studied.
  73. For more information on telework, including the Telework Enhancement Act of 2010, visit www
  74. .telework.gov.
  75. Special Considerations for Physical Security
  76. An organization must account for several special considerations when developing a physical
  77. security program. The first is the question of whether to handle physical security in-house or
  78. to outsource it. As with any aspect of information security, the make-or-buy decision should
  79. not be made lightly. Many qualified and professional agencies can provide physical security
  80. consulting and services. The benefits of outsourcing physical security include gaining the expe-
  81. rience and knowledge of these agencies, many of which have been in the field for decades.
  82. Outsourcing unfamiliar operations always frees an organization to focus on its primary objec-
  83. tives rather than support operations. The disadvantages include the expense, the loss of con-
  84. trol over individual components of physical security, and the need to trust another company
  85. to perform an essential business function. An organization must trust the processes used by
  86. the contracted company and its ability to hire and retain trustworthy employees who respect
  87. the security of the contracting company, even though they have no allegiance to it. This level
  88. of trust is often the most difficult aspect of the decision to outsource, because the reality of
  89. outsourcing physical security is that an outside agency will be providing a safeguard that the
  90. organization administers only marginally.
  91. 498 Chapter 9
  92. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  93. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  94. 9
  95. Another physical security consideration is social engineering. As you learned in previous chap-
  96. ters, social engineering involves using people skills to obtain confidential information from
  97. employees. While most social engineers prefer to use the telephone or computer to solicit infor-
  98. mation, some attempt to access the information more directly. Technically proficient agents can
  99. be placed in janitorial positions at a competitor’s office, and an outsider can gain access to an
  100. organization’s resources in other ways. For example, most organizations do not have thorough
  101. procedures for authenticating and controlling visitors who access their facility. When no proce-
  102. dure is in place, no one gives the wandering repairman, service worker, or city official a second
  103. look. It is not difficult to get a clipboard, dress like a repairman or building inspector, and move
  104. freely throughout a building. If you look like you have a mission and appear competent, most
  105. people will leave you alone. Organizations can combat this type of attack by requiring all people
  106. who enter the facility to display appropriate visitor badges and be escorted in restricted areas.
  107. Selected Readings
  108. Effective Physical Security, Third Edition by Lawrence Fennelly. 2004. Butterworth
  109. Heinemann.
  110. Build the Best Data Center Facility for Your Business by Douglas Alger. 2005. Cisco Press.
  111. Guard Force Management, Updated Edition by Lucien Canton. 2003. Butterworth
  112. Heinemann.
  113. Chapter Summary
  114. ■ Physical security requires the design, implementation, and maintenance of counter-
  115. measures that protect the physical resources of an organization.
  116. ■ Many threats to information security can also be classified as threats to physical secu-
  117. rity. An organization’s policy should guide the planning for physical security through-
  118. out the development life cycle.
  119. ■ In facilities management, a secure facility is a physical location that has controls to
  120. minimize the risk of attacks from physical threats. A secure facility can use natural
  121. terrain, traffic flow, and urban development, and can complement these environmental
  122. elements with protection mechanisms, such as fences, gates, walls, guards, and alarms.
  123. ■ The management of keys and locks is a fundamental part of general management’s
  124. responsibility for the organization’s physical environment.
  125. ■ A fail-safe lock is typically used on an exit door when human safety in a fire or other
  126. emergency is the essential consideration. A fail-secure lock is used when human safety
  127. is not a factor.
  128. ■ Monitoring equipment can record events that guards and dogs might miss, and can be
  129. used in areas where other types of physical controls are not practical.
  130. ■ As with any phase of the security process, the implementation of physical security
  131. must be constantly documented, evaluated, and tested. Once the physical security of a
  132. facility is established, it must be diligently maintained.
  133. Chapter Summary 499
  134. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  135. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  136. ■ Fire detection systems are devices that detect and respond to a fire or potential fire.
  137. Fire suppression systems stop the progress of a fire once activated.
  138. ■ The three basic types of fire detection systems are thermal detection, smoke detection,
  139. and flame detection.
  140. ■ Four environmental variables controlled by HVAC systems can cause damage to
  141. information systems: temperature, filtration, humidity, and static electricity.
  142. ■ Computer systems depend on stable power supplies to function; when power levels are
  143. too high, too low, or too erratic, computer circuitry can be damaged or destroyed. The
  144. power provided to computing and networking equipment should contain no unwanted
  145. fluctuations and no embedded signaling.
  146. ■ Water problems and the weakening and subsequent failure of a building’s physical
  147. structure represent potential threats to personal safety and to the integrity and avail-
  148. ability of information assets.
  149. ■ Data can be intercepted electronically and manually. The three routes of data inter-
  150. ception are direct observation, interception of data transmission, and interception of
  151. electromagnetic radiation.
  152. ■ TEMPEST is a technology that prevents the possible loss of data from the emission of
  153. electromagnetic radiation (EMR).
  154. ■ With the increased use of laptops, handhelds, and PDAs, organizations should be
  155. aware that mobile computing requires even more security than the average in-house
  156. system.
  157. ■ Remote site computing requires a secure extension of the organization’s internal net-
  158. works and special attention to security for any connected home or off-site computing
  159. technology.
  160. ■ Like computing equipment, classified information should be inventoried and managed.
  161. If multiple copies are made of a classified document, they should be numbered and
  162. tracked.
  163. Review Questions
  164. 1. What is physical security? What are the primary threats to physical security? How are
  165. they manifested in attacks against the organization?
  166. 2. What are the roles of an organization’s IT, security, and general management with
  167. regard to physical security?
  168. 3. How does physical access control differ from logical access control, which is described
  169. in earlier chapters? How are they similar?
  170. 4. Define a secure facility. What is the primary objective of designing such a facility?
  171. What are some secondary objectives of designing a secure facility?
  172. 5. Why are guards considered the most effective form of control for situations that
  173. require decisive action in the face of unfamiliar stimuli? Why are they usually the
  174. most expensive controls to deploy? When should dogs be used for physical security?
  175. 500 Chapter 9
  176. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  177. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  178. 9
  179. 6. List and describe the four categories of locks. In which situation is each type of lock
  180. preferred?
  181. 7. What are the two possible modes of locks when they fail? What implications do these
  182. modes have for human safety? In which situation is each preferred?
  183. 8. What is a mantrap? When should it be used?
  184. 9. What is the most common form of alarm? What does it detect? What types of sensors
  185. are commonly used in this type of alarm system?
  186. 10. Describe a physical firewall that is used in buildings. List reasons that an organization
  187. might need a firewall for physical security controls.
  188. 11. What is considered the most serious threat within the realm of physical security? Why
  189. is it valid to consider this threat the most serious?
  190. 12. What three elements must be present for a fire to ignite and continue to burn? How do
  191. fire suppression systems manipulate the three elements to quell fires?
  192. 13. List and describe the three fire detection technologies covered in the chapter. Which is
  193. the most commonly used?
  194. 14. List and describe the four classes of fire described in the text. Does the class of the fire
  195. dictate how to control it?
  196. 15. What is Halon and why is its use restricted?
  197. 16. What is the relationship between HVAC and physical security? What four physical
  198. characteristics of the indoor environment are controlled by a properly designed
  199. HVAC system? What are the optimal temperature and humidity ranges for computing
  200. systems?
  201. 17. List and describe the four primary types of UPS systems. Which is the most effective
  202. and the most expensive, and why?
  203. 18. What two critical factors are affected when water is not available in a facility?
  204. Why are they important to the operation of the organization’s information assets?
  205. 19. List and describe the three fundamental ways that data can be intercepted.
  206. How does a physical security program protect against each of these data interception
  207. methods?
  208. 20. What can you do to reduce the risk of theft of portable computing devices, such as
  209. smartphones, tablets, and notebooks?
  210. Exercises
  211. 1. Assume that your organization is planning to have an automated server room that
  212. functions without human assistance. Such a room is often called a lights-out server
  213. room. Describe the fire control system(s) you would install in that room.
  214. Exercises 501
  215. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  216. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  217. 2. Assume you have converted an area of general office space into a server room.
  218. Describe the factors you would consider for each of the following components:
  219. a. Walls and doors
  220. b. Access control
  221. c. Fire detection
  222. d. Fire suppression
  223. e. Heating, ventilating, and air conditioning
  224. f. Power quality and distribution
  225. 3. Assume you have been asked to review the power needs of a stand-alone computer system
  226. that processes important but noncritical data. Although the system does not have to be
  227. online at all times, it stores valuable data that could be corrupted if the power system
  228. were suddenly interrupted. Which UPS features are most important to such a system?
  229. Which type of UPS do you recommend for it?
  230. 4. Using a floor plan from a building you are familiar with, design an electronic monitor-
  231. ing plan that includes closed-circuit television, burglar alarms with appropriate sen-
  232. sors, fire detectors, and suppression and access controls for key entrances.
  233. 5. Define the required wattage for a UPS to be used with the following systems:
  234. a. Monitor: 2 amps; CPU: 3 amps; printer: 3 amps
  235. b. Monitor: 3 amps; CPU: 4 amps; printer: 3 amps
  236. c. Monitor: 3 amps; CPU: 4 amps; printer: 4 amps
  237. 6. Search the Web for a UPS that provides the wattage necessary to run the systems
  238. described in Exercise 5 for at least 15 minutes during a power outage.
  239. Case Exercises
  240. Amy walked into her office cubicle and sat down. The entire episode with the blond man had
  241. taken well over two hours of her day. Plus, the police officers had told her the district attor-
  242. ney would also want to speak with her, which meant she would have to spend even more
  243. time dealing with this incident. She hoped her manager would understand.
  244. Discussion Questions
  245. 1. Based on this case study, what security awareness measures, training documents, and
  246. posters had an impact on this event?
  247. 2. Do you think that Amy should have done anything differently? What would you have
  248. done in her situation?
  249. Ethical Decision Making
  250. Suppose that the blond man in the scenario was someone Amy knew socially. Suppose she
  251. also knew he had no relationship to the company and no business being in the building. If
  252. Amy chose not to make a report about the event, would she be violating her ethical position?
  253. 502 Chapter 9
  254. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  255. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  256. 9
  257. Endnotes
  258. 1. Parker, Donn B. Fighting Computer Crime. 1998. New York: John Wiley and Sons
  259. Inc., 250–251.
  260. 2. Army Study Guide. “Guard Duty.” Accessed 27 February 2014 from www.armystudy
  261. guide.com/content/army_board_study_guide_topics/guard_duty/guard-duty-study-guide
  262. .shtml.
  263. 3. Ibid.
  264. 4. Swanson, Marianne. National Institute of Standards and Technology. Guide for Devel-
  265. oping Security Plans for Federal Information Systems. SP 800-18, Rev. 1. February
  266. 2006. Accessed 27 February 2014 from http://csrc.nist.gov/publications/PubsSPs.html.
  267. 5. Artim, Nick. An Introduction to Fire Detection, Alarm, and Automatic Fire Sprinklers.
  268. Emergency Management, Technical Leaflet 2, Sec. 3. Middlebury: Fire Safety
  269. Network.
  270. 6. Environmental Protection Agency. “Questions and Answers on Halons and Their
  271. Substitutes.” Ozone Layer Protection Home. Accessed 27 February 2014 from www
  272. .epa.gov/ozone/snap/fire/lists/stream.html.
  273. 7. Ibid.
  274. 8. Webopedia. “Static Electricity and Computers.” Webopedia Online. May 2003.
  275. Accessed 27 February 2014 from www.webopedia.com/DidYouKnow/Computer
  276. _Science/static.asp.
  277. 9. Rasmussen, N. “The Different Types of UPS Systems.” White Paper 1 Revision 7. 2011.
  278. Accessed 24 February 2014 from www.apcmedia.com/salestools/SADE-5TNM3Y
  279. /SADE-5TNM3Y_R7_EN.pdf.
  280. 10. Van Eck, Wim. “Electromagnetic Radiation from Video Display Units: An Eavesdropping
  281. Risk?” Computers & Security 4 (1985): 269–286.
  282. 11. Loughry, Joe, and Umphress, David A. “Information Leakage from Optical
  283. Emanations.” ACM Transactions on Information and System Security 7, no. 7 (March
  284. 2002).
  285. 12. PC Privacy. “Is Tempest a Threat or Hoax?” PC Privacy 8, no. 4 (April 2000).
  286. 13. Metropolitan Police of the District of Columbia. “Tips for Preventing Theft of Laptops
  287. and Personal Electronics.” Government of the District of Columbia Online. Accessed 7
  288. July 2007 from http://mpdc.dc.gov/page/tips-preventing-theft-laptops-and-personal-
  289. electronics.
  290. Endnotes 503
  291. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  292. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  293. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  294. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  295. chapter 10
  296. Implementing Information Security
  297. Change is good. You go first!
  298. DILBERT (BY SCOTT ADAMS)
  299. KelvinUrich arrivedearly for the changecontrol meeting.Inthe large,empty conference
  300. room, he reviewed his notes and then flipped through the handouts one final time. During
  301. the meeting last week, the technical review committee had approved his ideas, and
  302. now he was confident that the project plan he’d developed was complete, tight, and
  303. well-ordered.
  304. The series of change requests resulting from this project would keep the company’s technical
  305. analysts busy for months to come, but he hoped that the scope and scale of the project, and
  306. the vast improvements it was sure to bring to the SLS information security program, would
  307. inspire his colleagues. To help the project proceed smoothly, he had loaded his handouts
  308. with columns of tasks, subtasks, and action items, and had assigned dates to every action
  309. step and personnel to each required task. He checked that the handouts were organized
  310. properly and that he had plenty of copies. Everything was under control.
  311. Naomi Jackson, the change control supervisor, also arrived a few minutes early. She nodded
  312. to Kelvin as she placed a stack of revised agendas in the middle of the conference table.
  313. Everyone attending had received the detailed report of planned changes the previous day.
  314. Charlie Moody came in, also nodding to Kelvin, and took his usual seat.
  315. Once the room filled, Naomi said, “Time to get started.” She picked up her copy of the
  316. planned change report and announced the first change control item for discussion, Item 742.
  317. 505
  318. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  319. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  320. One of the members of the UNIX support team responded, “As planned,” meaning that the
  321. item, a routine maintenance procedure for the corporate servers, would occur as scheduled.
  322. Naomi continued down the list in numeric order. Most items received the response “As
  323. planned” from the sponsoring team member. Occasionally, someone answered “Cancelled”
  324. or “Will be rescheduled,” but for the most part, the review of the change items proceeded as
  325. usual until it came to Kelvin’s information security change requests.
  326. Naomi said, “Items 761 through 767. Kelvin Urich from the security team is here to discuss
  327. these items with the change control group.”
  328. Kelvin distributed his handouts around the table. He waited, a little nervously, until every-
  329. one had a copy, and then began speaking: “I’m sure most of you are already aware of the
  330. information security upgrades we’ve been working on for the past few months. We’ve cre-
  331. ated an overall strategy based on the revised policies that were published last month and a
  332. detailed analysis of the threats to our systems. As the project manager, I’ve created what I
  333. think is a very workable plan. The seven change requests on the list today are all network
  334. changes and are each a top priority. In the coming weeks, I’ll be sending each department
  335. head a complete list of all planned changes and the expected dates. Of course, detailed
  336. change requests will be filed in advance for change control meetings, but each department
  337. can find out when any item is planned by checking the master list. As I said, there are more
  338. changes coming, and I hope we can all work together to make this a success.”
  339. “Comments or questions?” asked Naomi.
  340. Instantly six hands shot into the air. All of them belonged to senior technical analysts.
  341. Kelvin realized belatedly that none of these analysts were on the technical review com-
  342. mittee that had approved his plan. He also noticed that half the people in the room, like
  343. Amy Windahl from the user group and training committee, were busy pulling calendars
  344. and PDAs out of briefcases and bags, and that Davey Martinez from Accounting was
  345. engaged in a private but heated discussion with Charlie Moody, Kelvin’s boss. Charlie
  346. did not look pleased.
  347. Above the noise, Kelvin heard someone say, “I should have been warned if we are going
  348. to have all this work dumped on us all at once.” Someone else said, “We can’t make this
  349. happen on this schedule.”
  350. Amid the sudden chaos that had broken out during an otherwise orderly meeting, it occurred
  351. to Kelvin that his plan might not be as simple as he’d thought. He braced himself—it was
  352. going to be a very long afternoon.
  353. LEARNING OBJECTIVES:
  354. Upon completion of this material, you should be able to:
  355. • Explain how an organization’s information security blueprint becomes a project plan
  356. • Discuss the many organizational considerations that a project plan must address
  357. • Explain the significance of the project manager’s role in the success of an information
  358. security project
  359. • Describe the need for professional project management for complex projects
  360. • Discuss technical strategies and models for implementing a project plan
  361. • List and discuss the nontechnical problems that organizations face in times of rapid change
  362. 506 Chapter 10
  363. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  364. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  365. 10
  366. Introduction
  367. Key Term
  368. project plan The documented instructions for participants and stakeholders of a project that
  369. provide details on goals, objectives, tasks, scheduling, and resource management.
  370. First and foremost, an information security project manager must realize that implementing an
  371. information security project takes time, effort, and a great deal of communication and coordi-
  372. nation. This chapter and the next discuss the two stages of the security systems development
  373. life cycle (SecSDLC) implementation phase and describe how to successfully execute the infor-
  374. mation security blueprint. In general, the implementation phase is accomplished by changing
  375. the configuration and operation of the organization’s information systems to make them
  376. more secure. It includes changes to the following:
  377. Procedures (for example, through policy)
  378. People (for example, through training)
  379. Hardware (for example, through firewalls)
  380. Software (for example, through encryption)
  381. Data (for example, through classification)
  382. As you may recall from earlier chapters, the SecSDLC involves collecting information about
  383. an organization’s objectives, its technical architecture, and its information security environ-
  384. ment. These elements are used to form the information security blueprint, which is the foun-
  385. dation for protecting the confidentiality, integrity, and availability of the organization’s
  386. information.
  387. During the implementation phase, the organization translates its blueprint for information
  388. security into a project plan. The project plan instructs the people who are executing the imple-
  389. mentation phase. These instructions focus on the security control changes needed to improve
  390. the security of the hardware, software, procedures, data, and people that make up the organi-
  391. zation’s information systems. The project plan as a whole must describe how to acquire and
  392. implement the needed security controls and create a setting in which those controls achieve
  393. the desired outcomes.
  394. Before developing a project plan, however, management should coordinate the organization’s
  395. information security vision and objectives with the communities of interest involved in the
  396. plan’s execution. This coordination ensures that only controls of value to the organization’s
  397. information security program are incorporated into the project plan. If a statement of the
  398. vision and objectives for the organization’s security program does not exist, one must be
  399. developed and incorporated into the project plan. The vision statement should be concise. It
  400. should state the mission of the information security program and its objectives. In other
  401. words, the project plan is built upon the vision statement, which serves as a compass for guid-
  402. ing the changes necessary for the implementation phase. The components of the project plan
  403. should never conflict with the organization’s vision and objectives.
  404. Introduction 507
  405. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  406. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  407. Information Security Project Management
  408. As the opening vignette of this chapter illustrates, organizational change is not easily accom-
  409. plished. The following sections discuss the issues a project plan must address, including project
  410. leadership; managerial, technical, and budgetary considerations; and organizational resistance
  411. to the change.
  412. The major steps in executing the project plan are as follows:
  413. Planning the project
  414. Supervising tasks and action steps
  415. Wrapping up
  416. The project plan can be developed in any number of ways. Each organization has to deter-
  417. mine its own project management methodology for IT and information security projects.
  418. Whenever possible, information security projects should follow the organization’s project
  419. management practices. Many organizations now make use of a project office—a centralized
  420. resource to maximize the benefits of a standardized approach to project management. One
  421. such benefit is the leveraging of common project management practices across the organiza-
  422. tion to enable reallocation of resources without confusion or delays.
  423. ‡ Developing the Project Plan
  424. Key Terms
  425. deliverable A completed document or program module that can either serve as the beginning
  426. point for a later task or become an element in the finished project.
  427. milestone A specific point in the project plan when a task that has a noticeable impact on the
  428. plan’s progress is complete.
  429. predecessors Tasks or action steps that come before the specific task at hand.
  430. projectitis A situation in project planning in which the project manager spends more time
  431. documenting project tasks, collecting performance measurements, recording project task
  432. information, and updating project completion forecasts in the project management software
  433. than accomplishing meaningful project work.
  434. request for proposal (RFP) A document specifying the requirements of a project, provided to
  435. solicit bids from internal or external contractors.
  436. resources Components required for the completion of a project, which could include skills,
  437. personnel, time, money, and material.
  438. successors Tasks or action steps that come after the specific task at hand.
  439. work breakdown structure (WBS) A list of the tasks to be accomplished in the project, the
  440. skill sets or individual employees needed to perform the tasks, the start and end dates for tasks,
  441. the estimated resources required, and the dependencies among tasks.
  442. Planning for the implementation phase requires the creation of a detailed project plan, which
  443. is often assigned either to a project manager or the project champion. This person manages
  444. the project and delegates parts of it to other decision makers. Often the project manager is
  445. from the IT community of interest because most other employees lack the requisite informa-
  446. tion security background, management authority, and technical knowledge.
  447. 508 Chapter 10
  448. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  449. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  450. 10
  451. The project plan can be created using a simple planning tool such as the work breakdown
  452. structure (WBS). An example is shown in Table 10-1. To use the WBS approach, you first
  453. break down the project plan into its major tasks. The major project tasks are placed into the
  454. WBS, along with the following attributes for each:
  455. Work to be accomplished (activities and deliverables)
  456. The people or skill sets assigned to perform the task
  457. Start and end dates for the task, when known
  458. Amount of effort required for completion, in hours or work days
  459. Estimated capital expenses for the task
  460. Estimated noncapital expenses for the task
  461. Identification of dependencies between and among tasks
  462. Each major task in the WBS is then further divided into either smaller tasks (subtasks) or spe-
  463. cific action steps. For the sake of simplicity, the sample project plan outlined in the table and
  464. described later in this chapter divides each major task into action steps. In an actual project
  465. plan, major tasks are often much more complex and must be divided into subtasks before
  466. action steps can be identified and assigned to a specific person or skill set. Given the variety
  467. of possible projects, there are few formal guidelines for determining the appropriate level of
  468. detail—that is, the level at which a task or subtask should become an action step. However,
  469. one hard-and-fast rule can help you make this determination: a task or subtask becomes an
  470. action step when it can be completed by one person or skill set and has a single deliverable.
  471. The WBS can be prepared with a simple desktop PC spreadsheet program. The use of more
  472. complex project management software often leads to projectitis, in which the project man-
  473. ager spends more time working with the project management software than accomplishing
  474. meaningful project work. Recall Kelvin’s handouts from the opening vignette, which were
  475. loaded with dates and details. His case of projectitis led him to develop an elegant, detailed
  476. plan before gaining consensus for the required changes. Because he was new to project man-
  477. agement, he did not realize that simpler software tools could help him focus on organizing
  478. and coordinating with the project team.
  479. Work to Be Accomplished The work to be accomplished encompasses both activi-
  480. ties and deliverables. Ideally, the project planner provides a label and a thorough description
  481. for the task. The description should be complete enough to avoid ambiguity during the
  482. tracking process later, yet should not be so detailed as to make the WBS unwieldy. For
  483. instance, if the task is to write firewall specifications for the preparation of a request for
  484. proposal (RFP), the planner should note that the deliverable is a specification document suit-
  485. able for distribution to vendors.
  486. Assignees The project planner should describe the skills or personnel, often referred to
  487. as resources, needed to accomplish the task. The naming of individual employees should be
  488. avoided in early planning efforts, a rule Kelvin ignored when he named employees for every
  489. task in the first draft of his project plan. Instead of making individual assignments, the
  490. project plan should focus on organizational roles or known skill sets. For example, if any
  491. of the engineers in the networks group can write the specifications for a router, the assigned
  492. Information Security Project Management 509
  493. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  494. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  495. resource would be noted as “network engineer” in the WBS. As planning progresses,
  496. however, specific tasks and action steps should be assigned to individual employees. For
  497. example, when only the manager of the networks group can evaluate responses to the RFP
  498. and make an award for a contract, the project planner should assign the network manager
  499. as the resource for this task.
  500. Start and End Dates In the early stages of planning, the project planner should
  501. attempt to specify completion dates only for major project milestones. For example, the
  502. date for sending the final RFP to vendors is a milestone because it signals that all RFP
  503. Task or subtask Resources
  504. Start (S) &
  505. end (E) dates
  506. Estimated
  507. effort in
  508. hours
  509. Estimated
  510. capital
  511. expense
  512. Estimated
  513. noncapital
  514. expense
  515. Depend-
  516. encies
  517. 1 Contact field office
  518. and confirm network
  519. assumptions
  520. Network
  521. architect
  522. S: 9/22
  523. E: 9/22
  524. 2 $0 $200
  525. 2 Purchase standard
  526. firewall hardware
  527. 2.1 Orderfirewallthrough
  528. purchasing group
  529. Network
  530. architect
  531. S: 9/23
  532. E: 9/23
  533. 1 $0 $100 1
  534. 2.2 Order firewall from
  535. manufacturer
  536. Purchasing
  537. group
  538. S: 9/24
  539. E: 9/24
  540. 2 $4,500 $100 2.1
  541. 2.3 Firewall delivered Purchasing
  542. group
  543. E: 10/3 1 $0 $50 2.2
  544. 3 Configure firewall Network
  545. architect
  546. S: 10/3
  547. E: 10/5
  548. 8 $0 $800 2.3
  549. 4 Package and ship
  550. firewall to field office
  551. Student
  552. intern
  553. S: 10/6
  554. E: 10/15
  555. 2 $0 $85 3
  556. 5 Work with local
  557. technical resource to
  558. install and test
  559. Network
  560. architect
  561. S: 10/22
  562. E: 10/31
  563. 6 $0 $600 4
  564. 6 Penetration test
  565. 6.1 Request penetration
  566. test
  567. Network
  568. architect
  569. S: 11/1
  570. E: 11/1
  571. 1 $0 $100 5
  572. 6.2 Perform penetration
  573. test
  574. Penetration
  575. test team
  576. S: 11/2
  577. E: 11/12
  578. 9 $0 $900 6.1
  579. 6.3 Verify that results of
  580. penetration test
  581. were passing
  582. Network
  583. architect
  584. S: 11/13
  585. E: 11/15
  586. 2 $0 $200 6.2
  587. 7 Get remote office
  588. sign-off and update
  589. all network drawings
  590. and documentation
  591. Network
  592. architect
  593. S: 11/16
  594. E: 11/30
  595. 8 $0 $800 6.2
  596. Table 10-1 Example Project Plan Work Breakdown Structure
  597. © Cengage Learning 2015
  598. 510 Chapter 10
  599. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  600. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  601. 10
  602. preparation work is complete. Assigning too many dates to too many tasks early in the
  603. planning process exacerbates projectitis. This is another mistake Kelvin made, and was a sig-
  604. nificant cause of the resistance he faced from his coworkers. Planners can avoid this pitfall
  605. by assigning only key or milestone start and end dates early in the process. Later, planners
  606. may add start and end dates as needed.
  607. Amount of Effort Planners need to estimate the effort required to complete each task,
  608. subtask, or action step. Estimating effort hours for technical work is a complex process.
  609. Even when an organization has formal governance, technical review processes, and change
  610. control procedures, it is always good practice to ask the people who are most familiar with
  611. the tasks to make these estimates. After these estimates are made, the people assigned to
  612. action steps should review the estimated effort hours, understand the tasks, and agree with
  613. the estimates. Had Kelvin collaborated with his peers more effectively and adopted a more
  614. flexible planning approach, much of the resistance he encountered in the meeting would
  615. not have emerged.
  616. Estimated Capital Expenses Planners need to estimate the capital expenses
  617. required for the completion of each task, subtask, or action item. While each organization
  618. budgets and expends capital according to its own established procedures, most differentiate
  619. between capital outlays for durable assets and expenses for other purposes. For example, a
  620. firewall device that costs $5,000 may be a capital outlay for an organization, but it might
  621. not consider a $5,000 software package to be a capital outlay because its accounting rules
  622. classify all software as expense items, regardless of cost.
  623. Estimated Noncapital Expenses Planners need to estimate the noncapital
  624. expenses for the completion of each task, subtask, or action item. In business, capital
  625. expenses are those for revenue-producing projects that are expected to yield a return on
  626. investment, usually more than a year in the future. Noncapital expenses do not meet the cri-
  627. teria for capital expenditures. Some organizations require that current expenses for a project
  628. include a recovery charge for staff time, while others exclude employee time and consider
  629. only contract or consulting time used by the project as a noncapital expense. As mentioned
  630. earlier, it is important to determine the cost accounting practices of the organization for
  631. which the plan is to be used. For example, at some companies, a project to implement a fire-
  632. wall may charge only the costs of the firewall hardware as capital and consider all costs for
  633. labor and software as expense, regarding the hardware element as a durable good that has a
  634. lifespan of many years. Another organization might use the aggregate of all cash outflows
  635. associated with the implementation as the capital charge and make no charges to the
  636. expense category for everything needed to complete the project. The justification behind
  637. using this aggregate of all costs, which might include charges for items like hardware,
  638. labor, and freight, is that the newly implemented capability is expected to last for many
  639. years and is an improvement to the organization’s infrastructure. A third company may
  640. charge the whole project as expense if the aggregate amount falls below a certain threshold,
  641. under the theory that small projects are a cost of ongoing operations.
  642. Task Dependencies Whenever possible, planners should note the dependencies of
  643. other tasks or action steps on the one at hand, including task predecessors and successors.
  644. Multiple types of dependencies can exist, but such details are typically covered in courses
  645. on project management and are beyond the scope of this text.
  646. Information Security Project Management 511
  647. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  648. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  649. A process for developing a simple WBS-style project plan is provided in the following steps.
  650. In this example, a small information security project has been assigned to Jane Smith for
  651. planning. The project is to design and implement a firewall for a small office. The hardware
  652. is a standard organizational product and will be installed at a location that already has a
  653. network connection.
  654. Jane’s first step is to list the major tasks:
  655. 1. Contact field office and confirm network assumptions.
  656. 2. Purchase standard firewall hardware.
  657. 3. Configure firewall.
  658. 4. Package and ship firewall to field office.
  659. 5. Work with local technical resource to install and test firewall.
  660. 6. Coordinate vulnerability assessment by penetration test team.
  661. 7. Get remote office sign-off and update all network drawings and documentation.
  662. After all the people involved review and refine Jane’s plan, she revises it to add more dates
  663. to the tasks listed, as shown in Table 10-1.
  664. For more information on project management certifications in the federal sector, visit www.fai
  665. .gov/drupal/certification/program-and-project-managers-fac-ppm.
  666. ‡ Project Planning Considerations
  667. Key Term
  668. project scope A description of a project’s features, capabilities, functions, and quality level, used
  669. as the basis of a project plan.
  670. As the project plan is developed, adding detail is not always straightforward. The following
  671. sections discuss factors that project planners must consider as they decide what to include in
  672. the work plan, how to break tasks into subtasks and action steps, and how to accomplish the
  673. objectives of the project.
  674. Financial Considerations Regardless of an organization’s information security
  675. needs, the amount of effort that can be expended depends on the available funds. A cost-
  676. benefit analysis (CBA), as described in Chapter 5, is typically prepared in the analysis phase
  677. of the SecSDLC and must be reviewed and verified prior to the development of the project
  678. plan. The CBA determines the impact that a specific technology or approach can have on
  679. the organization’s information assets and what it may cost.
  680. Each organization has its own approach to the creation and management of budgets and
  681. expenses. In many organizations, the information security budget is a subsection of the overall
  682. IT budget. In others, information security is a separate budget category that may have the same
  683. degree of visibility and priority as the IT budget. Regardless of where information security items
  684. arelocatedinthe budget,monetaryconstraints determine what can andcannot beaccomplished.
  685. 512 Chapter 10
  686. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  687. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  688. 10
  689. Public organizations tend to be more predictable in their budget processes than private organi-
  690. zations because the budgets of public organizations are usually the product of legislation or
  691. public meetings. This makes it difficult to obtain additional funds once the budget is deter-
  692. mined. Also, some public organizations rely on temporary or renewable grants for their bud-
  693. gets and must stipulate their planned expenditures when the grant applications are written. If
  694. new expenses arise, funds must be requested via new grant applications. Also, grant expendi-
  695. tures are usually audited and cannot be misspent. However, many public organizations must
  696. spend all budgeted funds within the fiscal year—otherwise, the subsequent year’s budget is
  697. reduced by the unspent amount. As a result, these organizations often conduct end-
  698. of-fiscal-year spend-a-thons. This is often the best time to acquire, for example, that remaining
  699. piece of technology needed to complete the information security architecture.
  700. Private (for-profit) organizations have budgetary constraints that are determined by the mar-
  701. ketplace. When a for-profit organization initiates a project to improve security, the funding
  702. comes from the company’s capital and expense budgets. Each for-profit organization deter-
  703. mines its capital budget and the rules for managing capital spending and expenses differ-
  704. ently. In almost all cases, however, budgetary constraints affect the planning and actual
  705. expenditures for information security. For example, a preferred technology or solution may
  706. be sacrificed for a less desirable but more affordable solution. The budget ultimately guides
  707. the information security implementation.
  708. To justify the amount budgeted for a security project at either a public or for-profit organiza-
  709. tion, it may be useful to benchmark expenses of similar organizations. Most for-profit organi-
  710. zations publish the components of their expense reports. Similarly, public organizations must
  711. document how funds are spent. A savvy information security project manager might find a
  712. number of similarly sized organizations with larger expenditures for security to justify planned
  713. spending. While such tactics may not improve this year’s budget, they could improve future
  714. budgets. Ironically, attackers can also help information security project planners justify the
  715. information security budget. If attacks successfully compromise secured information systems,
  716. management may be more willing to support the information security budget.
  717. Priority Considerations In general, the most important information security controls
  718. in the project plan should be scheduled first. Budgetary constraints may have an effect on
  719. the assignment of a project’s priorities. As you learned in Chapter 5, the implementation of
  720. controls is guided by the prioritization of threats and the value of the threatened informa-
  721. tion assets. A less important control may be prioritized if it addresses a group of specific vul-
  722. nerabilities and improves the organization’s security posture to a greater degree than other
  723. high-priority controls.
  724. Time and Scheduling Considerations Time and scheduling can affect a project
  725. plan at dozens of points, including the time between ordering and receiving a security con-
  726. trol, which may not be immediately available; the time it takes to install and configure the
  727. control; the time it takes to train the users; and the time it takes to realize the control’s
  728. return on investment. For example, if a control must be in place before an organization can
  729. implement its electronic commerce product, the selection process is likely to be influenced by
  730. the speed of acquisition and implementation of the various alternatives.
  731. Staffing Considerations The need for qualified, trained, and available personnel also
  732. constrains the project plan. An experienced staff is often needed to implement technologies
  733. Information Security Project Management 513
  734. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  735. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  736. and to develop and implement policies and training programs. If no staff members are
  737. trained to configure a new firewall, the appropriate personnel must be trained or hired.
  738. Procurement Considerations There are often constraints on the selection of equip-
  739. ment and services—for example, some organizations require the use of particular service ven-
  740. dors or manufacturers and suppliers. These constraints may limit which technologies can be
  741. acquired. For example, in a recent budget cycle, the authors’ lab administrator was considering
  742. selecting an automated risk analysis software package. The leading candidate promised to inte-
  743. grate everything, including vulnerability scanning, risk weighting, and control selection. Upon
  744. receipt of the RFP, the vendor issued a bid to meet the desired requirements for a heart-
  745. stopping $75,000, plus a 10 percent annual maintenance fee. If an organization has an annual
  746. information security budget of $30,000, it must eliminate a package like this from consider-
  747. ation. Also, consider the chilling effect on innovation when an organization requires elaborate
  748. supporting documentation and complex bidding for even small-scale purchases. Such procure-
  749. ment constraints, which are designed to control losses from occasional abuses, may actually
  750. increase costs when the lack of operating agility is taken into consideration.
  751. Organizational Feasibility Considerations Whenever possible, security-related
  752. technological changes should be transparent to system users, but sometimes such changes
  753. require new procedures—for example, additional authentication or validation. A successful
  754. project requires that an organization be able to assimilate the proposed changes. New tech-
  755. nologies sometimes require new policies, employee training, and education. Scheduling train-
  756. ing after the new processes are in place—after the users have had to deal with the changes
  757. without preparation—can create tension and resistance, and might undermine security
  758. operations. Untrained users may develop ways to work around unfamiliar security proce-
  759. dures, and their bypassing of controls may create additional vulnerabilities. Conversely,
  760. users should not be prepared so far in advance that they forget the new training techniques
  761. and requirements. The optimal time frame for training is usually one to three weeks before
  762. the new policies and technologies come online.
  763. Training and Indoctrination Considerations The size of the organization and
  764. the normal conduct of business may preclude a large training program for new security pro-
  765. cedures or technologies. If so, the organization should conduct a phased-in or pilot imple-
  766. mentation, such as roll-out training for one department at a time. See the section titled
  767. “Conversion Strategies” later in the chapter for details about various implementation
  768. approaches. When a project involves a change in policies, it may be sufficient to brief super-
  769. visors on the new policy and assign them the task of updating end users in regularly sched-
  770. uled meetings. Project planners must ensure that compliance documents are also distributed
  771. and that all employees are required to read, understand, and agree to the new policies.
  772. Scope Considerations The project scope of any given project plan should be care-
  773. fully reviewed and kept as small as possible given the project’s objectives. To control project
  774. scope, organizations should implement large information security projects in stages, as in the
  775. bull’s-eye approach discussed later in this chapter.
  776. For several reasons, the scope of information security projects must be evaluated and
  777. adjusted with care. First, in addition to the challenge of handling many complex tasks at
  778. one time, the installation of information security controls can disrupt the ongoing operations
  779. 514 Chapter 10
  780. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  781. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  782. 10
  783. of an organization, and may also conflict with existing controls in unpredictable ways. For
  784. example, if you install a new packet filtering router and a new application proxy firewall at
  785. the same time and users are blocked from accessing the Web as a result, which technology
  786. caused the conflict? Was it the router, the firewall, or an interaction between the two? Lim-
  787. iting the project scope to a set of manageable tasks does not mean that the project should
  788. only allow change to one component at a time, but a good plan carefully considers the num-
  789. ber of tasks that are planned for the same time in a single department.
  790. Recall from the opening vignette that all of Kelvin’s change requests are in the area of net-
  791. working, where the dependencies are particularly complex. If the changes in Kelvin’s project
  792. plan are not deployed exactly as planned, or if unanticipated complexities arise, there could
  793. be extensive disruption to Sequential Label and Supply’s daily operations. For instance, an
  794. error in the deployment of the primary firewall rules could interrupt all Internet connectiv-
  795. ity, which might make detection and recovery from the error more difficult.
  796. ‡ The Need for Project Management
  797. Key Terms
  798. gap analysis The process of comparing measured results against expected results, then using
  799. the resulting “gap” as a measure of project success and as feedback for project management.
  800. project wrap-up A process of bringing a project to a conclusion, addressing any pending issues
  801. and the overall project effort, and identifying ways to improve the process in the future.
  802. Project management requires a unique set of skills and a thorough understanding of a broad
  803. body of specialized knowledge. In the opening vignette, Kelvin’s inexperience as a project
  804. manager makes this all too clear. Realistically, most information security projects require a
  805. trained project manager—a CISO or a skilled IT manager who is trained in project manage-
  806. ment techniques. Even experienced project managers are advised to seek expert assistance
  807. when engaging in a formal bidding process to select advanced or integrated technologies or
  808. outsourced services.
  809. Supervised Implementation Although it is not an optimal solution, some organiza-
  810. tions designate a champion from the general management community of interest to supervise
  811. the implementation of an information security project plan. In this case, groups of tasks are
  812. delegated to individuals or teams from the IT and information security communities of inter-
  813. est. An alternative is to designate a senior IT manager or the CIO of the organization to lead
  814. the implementation. In this case, the detailed work is delegated to cross-functional teams.
  815. The best solution is to designate a suitable person from the information security community
  816. of interest. In the final analysis, each organization must find the project leadership that best
  817. suits its specific needs and the personalities and politics of the organizational culture.
  818. Executing the Plan Once a project is under way, it is managed using a process known as
  819. gap analysis (also known as a negative feedback loop or cybernetic loop), which ensures that
  820. progress is measured periodically. When significant deviation occurs, corrective action is taken
  821. to bring the deviating task back into compliance with the project plan; otherwise, the project is
  822. revised in light of new information. See Figure 10-1 for an overview of this process.
  823. Information Security Project Management 515
  824. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  825. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  826. Corrective action is taken in two basic situations: either the estimate is flawed or perfor-
  827. mance has lagged. When an estimate is flawed, as when the number of effort hours required
  828. is underestimated, the plan should be corrected and downstream tasks updated to reflect the
  829. change. When performance has lagged—for example, due to high turnover of skilled
  830. employees—corrective action may take the form of adding resources, making longer sche-
  831. dules, or reducing the quality or quantity of the deliverable. Corrective action decisions are
  832. usually expressed in terms of trade-offs. Often a project manager can adjust one of the three
  833. following planning parameters for the task being corrected:
  834. Effort and money allocated
  835. Elapsed time or scheduling impact
  836. Quality or quantity of the deliverable
  837. When too much effort and money are being spent, you may decide to take more time to
  838. complete the project tasks or to lower the deliverable quality or quantity. If the task is tak-
  839. ing too long to complete, you should probably add more resources in staff time or money or
  840. decrease the deliverable quality or quantity. If the quality of the deliverable is inadequate,
  841. you must usually add more resources in staff time or money or take longer to complete the
  842. task. Of course, there are complex dynamics among these variables, and these simplistic
  843. Monitor and
  844. periodically reassess
  845. Plan initiated
  846. Current state assessed
  847. Current state compared
  848. to desired state as per
  849. plan
  850. Current =
  851. Desired?
  852. Yes
  853. Develop gap analysis
  854. remediation plan
  855. Implement gap analysis
  856. remediation plan and
  857. reassess
  858. No
  859. Figure 10-1 Gap analysis
  860. © Cengage Learning 2015
  861. 516 Chapter 10
  862. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  863. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  864. 10
  865. solutions do not serve in all cases, but this simple trade-off model can help the project man-
  866. ager to analyze available options.
  867. Project Wrap-up Project wrap-up is usually handled as a procedural task and assigned
  868. to a mid-level IT or information security manager. These managers collect documentation,
  869. finalize status reports, and deliver a final report and a presentation at a wrap-up meeting.
  870. The goal of the wrap-up is to resolve any pending issues, critique the overall project effort,
  871. and draw conclusions about how to improve the process for the future.
  872. For more information on project management, visit the Project Management Institute’s Web site
  873. at www.pmi.org.
  874. ‡ Security Project Management Certifications
  875. For information security professionals who seek additional credentials and recognition for
  876. their project management experience, some certifications are available.
  877. GIAC Certified Project Manager The SANS Institute offers a program that focuses
  878. on security professionals and managers with project management responsibilities who seek
  879. to demonstrate their mastery of project management methods and strategies. 1 Candidates
  880. for the certification may either study on their own or enroll in the SANS IT Project Manage-
  881. ment course. The program focuses on the following topic areas:
  882. Earned value technique (EVT)
  883. Leadership and management strategy
  884. Project communication management
  885. Project cost management
  886. Project human resource management
  887. Project integration management
  888. Project management framework and approach
  889. Project procurement management
  890. Project quality management
  891. Project risk management
  892. Project scope management
  893. Project stakeholder management
  894. Project time management 2
  895. IT Security Project Management The EC Council offers the Project Management in
  896. Information Technology Security (PMITS) certification as a milestone in its Certified E-Business
  897. Professional program. This program focuses on the following topics:
  898. Components of project management in IT security
  899. Organizing the IT security project
  900. Information Security Project Management 517
  901. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  902. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  903. Developing the IT security project team
  904. Planning the IT security project
  905. Managing IT project management
  906. Building quality into IT security projects
  907. Closing out IT project management
  908. Defining a corporate IT project plan
  909. General IT security plan
  910. IT operational security plan 3
  911. Certified Security Project Manager The Security Industry Association (SIA) is a
  912. consortium focused predominantly on physical security, but it also incorporates information
  913. security into its programs. It has a certification program called the Certified Security Project
  914. Manager, which signifies completion of its project manager course, a body of self-study, and
  915. the completion of a final examination.
  916. For more information on the SANS GIAC Certified Project Manager certification, visit www.giac
  917. .org/certification/certified-project-manager-gcpm. For more information on the EC Council’s
  918. PMITS certification, visit www.eccouncil.org. For more information on the SIA certification, visit
  919. www.siaonline.org.
  920. Technical Aspects of Implementation
  921. Some aspects of the implementation process are technical and deal with the application of
  922. technology, while others deal with the human interface to technical systems. The following
  923. sections discuss conversion strategies, prioritization among multiple components, outsourcing,
  924. and technology governance.
  925. ‡ Conversion Strategies
  926. Key Terms
  927. direct changeover The conversion strategy that involves stopping the old system and starting
  928. the new one without any overlap.
  929. parallel operations The conversion strategy that involves running the new system concurrently
  930. with the old system.
  931. phased implementation The conversion strategy that involves a measured rollout of the
  932. planned system; only part of the system is brought out and disseminated across an organization
  933. before the next piece is implemented.
  934. pilot implementation The conversion strategy that involves implementing the entire system
  935. into a single office, department, or division, and dealing with issues that arise before expanding
  936. to the rest of the organization.
  937. As the components of the new security system are planned, provisions must be made for the
  938. changeover from the previous method of performing a task to the new method. Just like IT
  939. systems, information security projects require careful conversion planning. This section
  940. 518 Chapter 10
  941. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  942. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  943. 10
  944. discusses the four basic approaches for changing from an old system or process to a new one.
  945. The approaches are illustrated in Figure 10-2.
  946. Direct Changeover Also known as going “cold turkey,” a direct changeover involves
  947. stopping the old method and beginning the new one. This approach could be as simple as hav-
  948. ing employees follow the existing procedure one week and then use a new procedure the next.
  949. Some cases of direct changeover are simple, such as requiring employees to begin using a new
  950. password with a stronger degree of authentication on an announced date. Some may be more
  951. complex, such as requiring the entire company to change procedures when the network team
  952. disables an old firewall and activates a new one. The primary drawback to the direct change-
  953. over approach is that if the new system fails or needs modification, users may be without ser-
  954. vices while the system’s bugs are worked out. Complete testing of the new system in advance
  955. of the direct changeover reduces the probability of such problems.
  956. Phased Implementation A phased implementation is the most common conversion
  957. strategy and involves a measured rollout of the planned system, with only part of the system
  958. being brought out and disseminated across an organization before the next piece is imple-
  959. mented. This could mean that the security group implements only a small portion of the
  960. new security profile, giving users a chance to get used to it and resolving issues as they
  961. arise. This is usually the best approach to security project implementation. For example, if
  962. an organization seeks to update both its VPN and IDPS systems, it may first introduce the
  963. new VPN solution that employees can use to connect to the organization’s network while
  964. they’re traveling. Each week another department will be allowed to use the new VPN, with
  965. this process continuing until all departments are using the new approach. Once the new
  966. VPN has been phased into operation, revisions to the organization’s IDPS can begin.
  967. Pilot Implementation In a pilot implementation, the entire security system is put in
  968. place in a single office, department, or division before expanding to the rest of the organiza-
  969. tion. The pilot implementation works well when an isolated group can serve as the “guinea
  970. pig,” which prevents any problems with the new system from dramatically interfering with
  971. the performance of the organization as a whole. The operation of a research and develop-
  972. ment group, for example, may not affect the real-time operations of the organization and
  973. could assist security in resolving issues that emerge.
  974. New system Old system
  975. New system Old system
  976. New system Old system
  977. New system
  978. Old system
  979. Direct
  980. Phased
  981. Pilot
  982. Parallel
  983. Figure 10-2 Conversion strategies
  984. © Cengage Learning 2015
  985. Technical Aspects of Implementation 519
  986. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  987. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  988. Parallel Operations The parallel operations strategy involves running two systems
  989. concurrently; in terms of information systems, it might involve running two firewalls concur-
  990. rently, for example. Although this approach is complex, it can reinforce an organization’s
  991. information security by allowing the old system(s) to serve as backup for the new systems if
  992. they fail or are compromised. Drawbacks usually include the need to deal with both systems
  993. and maintain both sets of procedures.
  994. ‡ The Bull’s-Eye Model
  995. Key Term
  996. bull’s-eye model A method for prioritizing a program of complex change; it requires that issues
  997. be addressed from the general to the specific and focuses on systematic solutions instead of
  998. individual problems.
  999. A proven method for prioritizing a program of complex change is the bull’s-eye model. This
  1000. methodology, which goes by many different names and has been used by many organiza-
  1001. tions, requires that issues be addressed from the general to the specific and that the focus be
  1002. on systematic solutions instead of individual problems. The increased capabilities—that is,
  1003. increased expenditures—are used to improve the information security program in a system-
  1004. atic and measured way. As presented here and illustrated in Figure 10-3, the approach relies
  1005. on a process of project plan evaluation in four layers:
  1006. 1. Policies: This is the outer, or first, ring in the bull’s-eye diagram. The critical impor-
  1007. tance of policies has been emphasized throughout this textbook, particularly in
  1008. Chapter 4. The foundation of all effective information security programs is sound
  1009. Policies
  1010. Networks
  1011. Systems
  1012. Applications
  1013. Figure 10-3 The bull’s-eye model
  1014. © Cengage Learning 2015
  1015. 520 Chapter 10
  1016. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  1017. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  1018. 10
  1019. information security policy and information technology policy. Because policy estab-
  1020. lishes the ground rules for the use of all systems and describes what is appropriate
  1021. and inappropriate, it enables all other information security components to function
  1022. correctly. When deciding how to implement complex changes and choose from
  1023. conflicting options, you can use policy to clarify what the organization is trying to
  1024. accomplish with its efforts.
  1025. 2. Networks: In the past, most information security efforts focused on this layer, so until
  1026. recently information security was often considered synonymous with network security.
  1027. In today’s computing environment, implementing information security is more complex
  1028. because networking infrastructure often comes into contact with threats from the public
  1029. network. If an organization is new to the Internet and examines its policy environment
  1030. to define how the new company networks should be defended, it will soon find that
  1031. designing and implementing an effective DMZ is the primary way to secure those
  1032. networks. Secondary efforts in this layer include providing the necessary authentication
  1033. and authorization when allowing users to connect over public networks to the organization’s
  1034. systems.
  1035. 3. Systems: Many organizations find that the problems of configuring and operating infor-
  1036. mation systems in a secure fashion become more difficult as the number and complexity
  1037. of these systems grow. This layer includes computers used as servers, desktop computers,
  1038. and systems used for process control and manufacturing systems.
  1039. 4. Applications: The layer that receives attention last deals with the application
  1040. software systems used by the organization to accomplish its work. This includes
  1041. packaged applications, such as office automation and e-mail programs, as well as
  1042. high-end enterprise resource planning (ERP) packages than span the organization.
  1043. Custom application software developed by the organization for its own needs is
  1044. also included.
  1045. By reviewing the information security blueprint and the current state of the organiza-
  1046. tion’s information security efforts in terms of these four layers, project planners can
  1047. determine which areas require expanded capabilities. The bull’s-eye model can also be
  1048. used to evaluate the sequence of steps taken to integrate parts of the information security
  1049. blueprint into a project plan. As suggested by its bull’s-eye shape, this model dictates the
  1050. following:
  1051. Until sound and usable IT and information security policies are developed, communi-
  1052. cated, and enforced, no additional resources should be spent on other controls.
  1053. Until effective network controls are designed and deployed, all resources should go
  1054. toward achieving that goal, unless resources are needed to revisit the policy needs of
  1055. the organization.
  1056. After policies and network controls are established, implementation should focus
  1057. on the information, process, and manufacturing systems of the organization.
  1058. Until there is well-informed assurance that all critical systems are being config-
  1059. ured and operated in a secure fashion, all resources should be spent on reaching
  1060. that goal.
  1061. Once there is assurance that policies are in place, networks are secure, and systems
  1062. are safe, attention should move to assessing and remediating the security of the
  1063. Technical Aspects of Implementation 521
  1064. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  1065. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  1066. organization’s applications. This is a complicated and vast area of concern for
  1067. many organizations, and most neglect to analyze the impact of information security
  1068. on existing systems and their own proprietary systems. As in all planning efforts,
  1069. attention should be paid to the most critical applications first.
  1070. ‡ To Outsource or Not
  1071. Not every organization needs to develop an information security department or program of
  1072. its own. Just as some organizations outsource part or all of their IT operations, so too can
  1073. organizations outsource their information security programs. The expense and time required
  1074. to develop an effective information security program may be beyond the means of some
  1075. organizations, so it may be in their best interest to hire professional services to help their IT
  1076. departments implement such a program.
  1077. When an organization outsources most or all of its IT services, information security should
  1078. be part of the contract arrangement with the supplier. Organizations that handle most of
  1079. their own IT operations may choose to outsource the more specialized information security
  1080. functions. Small and medium-sized organizations often hire outside consultants for penetra-
  1081. tion testing and information security program audits. Organizations of all sizes frequently
  1082. outsource network monitoring functions to make certain that their systems are adequately
  1083. secured and to gain assistance in watching for attempted or successful attacks.
  1084. For an interesting article on outsourcing security, visit renowned security consultant and author
  1085. Bruce Schneier’s Web page at www.schneier.com/essay-084.html.
  1086. ‡ Technology Governance and Change Control
  1087. Key Terms
  1088. change control A method of regulating the modification of systems within the organization by
  1089. requiring formal review and approval for each change.
  1090. technology governance A process organizations use to manage the effects and costs of
  1091. technology implementation, innovation, and obsolescence.
  1092. Other factors that determine the success of an organization’s IT and information security
  1093. programs are technology governance and change control. Governance was covered in detail
  1094. in Chapter 4.
  1095. Technology governance guides how frequently technical systems are updated and how tech-
  1096. nical updates are approved and funded. Technology governance also facilitates communica-
  1097. tion about technical advances and issues across the organization.
  1098. Medium-sized and large organizations deal with the impact of technical change on their
  1099. operations through a change control process. By managing the process of change, the organi-
  1100. zation can do the following:
  1101. Improve communication about change across the organization.
  1102. Enhance coordination between groups within the organization as change is scheduled
  1103. and completed.
  1104. 522 Chapter 10
  1105. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  1106. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  1107. 10
  1108. Reduce unintended consequences by having a process to resolve conflict and disruption
  1109. that change can introduce.
  1110. Improve quality of service as potential failures are eliminated and groups work
  1111. together.
  1112. Assure management that all groups are complying with the organization’s
  1113. policies for technology governance, procurement, accounting, and information
  1114. security.
  1115. Effective change control is an essential part of the IT operation in all but the smallest organi-
  1116. zations. The information security group can also use the change control process to ensure
  1117. that the organization follows essential process steps that assure confidentiality, integrity, and
  1118. availability when systems are upgraded across the organization.
  1119. ‡ The SANS Top 20 Critical Security Controls
  1120. To provide guidance for the implementation of security controls in the organization, the
  1121. SANS Institute serves as a sponsor and host of the list of top 20 critical security controls.
  1122. The SANS Institute notes that security standards and requirement frameworks have come
  1123. and gone in recent years, always making an effort to address the risks that organizations
  1124. face when using enterprise systems. These efforts often seem to devolve into a set of rote
  1125. compliance reports, resulting in a diversion of resources that may have been better spent
  1126. making actual improvements in the security posture to meet evolving threats rather than
  1127. writing reports to address threats from the past. This state of affairs was noted in 2008
  1128. by the U.S. National Security Agency (NSA), which undertook an “offense must inform
  1129. defense” approach that sought to enable the selection and implementation of controls
  1130. based on a prioritization model with an intention to block actual threats instead of gener-
  1131. ating compliance documentation. The result was the emergence of a global consortium
  1132. drawn from industry and government that became known as the Critical Security Controls
  1133. (the Controls). The SANS Institute was charged with a coordinating role in this process.
  1134. Later, in 2013, accountability for the Controls was passed to the Council on CyberSecur-
  1135. ity (the Council), a global, independent nonprofit organization that intended to provide
  1136. for a secure and open Internet.
  1137. The Controls sought to deliver functionality that focused on emerging advanced targeted
  1138. threats, placing an emphasis on practical control approaches. The Controls were offered in a
  1139. framework that emphasized standardization of approach and the use of automated techni-
  1140. ques where possible, seeking to deliver a high degree of effectiveness and an essential effi-
  1141. ciency to operations. The Controls are recognized as a subset of the controls enumerated in
  1142. the National Institute of Standards and Technology (NIST) SP 800-53, and are not intended
  1143. to supplant the NIST directives, including the Cybersecurity Framework developed in
  1144. response to Executive Order 13636. Rather, this effort is a means of implementing a smaller
  1145. number of actionable controls that deliver maximum results from a modest set of resource
  1146. inputs using a structured list of priorities.
  1147. Since the Controls were derived from the most common attack patterns and were
  1148. vetted across a very broad community of government and industry, with very
  1149. strong consensus on the resulting set of controls, they serve as the basis for
  1150. immediate high-value action. 4
  1151. Technical Aspects of Implementation 523
  1152. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  1153. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  1154. A partial list of the 2013 critical controls follows:
  1155. 1. Inventory of Authorized and Unauthorized Devices—Actively manage (inven-
  1156. tory, track, and correct) all hardware devices on the network […].
  1157. 2. Inventory of Authorized and Unauthorized Software—Actively manage […]
  1158. all software on the network […].
  1159. 3. Secure Configurations for Hardware and Software on Mobile Devices, Lap-
  1160. tops, Workstations, and Servers—Establish, implement, and actively manage
  1161. […] the security configuration of laptops, servers, and workstations […].
  1162. 4. Continuous Vulnerability Assessment and Remediation—Continuously
  1163. acquire, assess, and take action on new information in order to identify vul-
  1164. nerabilities, remediate, and minimize the window of opportunity for attackers.
  1165. 5. Malware Defenses—Control the installation, spread, and execution of mali-
  1166. cious code […].
  1167. 6. Application Software Security—Manage the security life cycle of all […]
  1168. software […].
  1169. 7. Wireless Access Control—Manage the processes and tools used to track, con-
  1170. trol, prevent, and correct the security use of wireless local area networks […].
  1171. 8. Data Recovery Capability—The processes and tools used to properly back
  1172. up critical information with a proven methodology for timely recovery of it.
  1173. 9. Security Skills Assessment and Appropriate Training to Fill Gaps—For all
  1174. functional roles in the organization […], identify the specific knowledge,
  1175. skills, and abilities needed to support defense of the enterprise; develop and
  1176. execute an integrated plan to assess, identify gaps, and remediate through
  1177. policy, organizational planning, training, and awareness programs.
  1178. 10. Secure Configurations for Network Devices such as Firewalls, Routers, and
  1179. Switches—Establish, implement, and actively manage […] the security con-
  1180. figuration of network infrastructure […].
  1181. 11. Limitation and Control of Network Ports, Protocols, and Services—Manage
  1182. (track/control/correct) the ongoing operational use of ports, protocols, and
  1183. services on networked devices […].
  1184. 12. Controlled Use of Administrative Privileges—The processes and tools used to
  1185. track, control, prevent, and correct the use, assignment, and configuration of
  1186. administrative privileges on computers, networks, and applications.
  1187. 13. Boundary Defense—Detect, prevent, and correct the flow of information
  1188. transferring networks of different trust levels with a focus on security-damag-
  1189. ing data.
  1190. 14. Maintenance, Monitoring, and Analysis of Audit Logs—Collect, manage,
  1191. and analyze audit logs of events that could help detect, understand, or
  1192. recover from an attack.
  1193. 15. Controlled Access Based on the Need to Know—Control the processes and
  1194. tools used to track, control, prevent, and correct secure access to critical
  1195. 524 Chapter 10
  1196. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  1197. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  1198. 10
  1199. assets (e.g., information, resources, systems) according to the formal determi-
  1200. nation of which persons, computers, and applications have a need and right
  1201. to access these critical assets based on an approved classification.
  1202. 16. Account Monitoring and Control […].
  1203. 17. Data Protection […].
  1204. 18. Incident Response and Management […].
  1205. 19. Secure Network Engineering […].
  1206. 20. Penetration Tests and Red Team Exercises […]. 5
  1207. Nontechnical Aspects of Implementation
  1208. Some aspects of information security implementation are not technical in nature, but deal
  1209. instead with the human interface to technical systems. The sections that follow discuss the
  1210. topic of creating a culture of change management and considerations for organizations facing
  1211. change.
  1212. ‡ The Culture of Change Management
  1213. The prospect of change, the familiar shifting to the unfamiliar, can cause employees to resist
  1214. the change, either unconsciously or consciously. Regardless of whether the changes are per-
  1215. ceived as good or bad, employees tend to prefer the old way of doing things. Even when
  1216. employees embrace changes, the stress of actually making the changes and adjusting to new
  1217. procedures can increase the probability of mistakes or create vulnerabilities in systems. By
  1218. understanding and applying some basic tenets of change management, project managers can
  1219. lower employee resistance to change and can even build resilience for it, thereby making
  1220. ongoing change more palatable to the entire organization.
  1221. The basic foundation of change management requires people who are making the changes to
  1222. understand that organizations typically have cultures that represent their mood and philoso-
  1223. phy. Disruptions to this culture must be properly addressed and their effects minimized. One
  1224. of the oldest models of change is the Lewin change model, 6 which consists of three simplistic
  1225. stages:
  1226. Unfreezing: Thawing hard-and-fast habits and established procedures. Preparing
  1227. the organization for upcoming changes facilitates the implementation of new
  1228. processes, systems, and procedures. Training and awareness programs assist in this
  1229. preparation.
  1230. Moving: Transitioning between the old way and the new. The physical implementation
  1231. of new methods, using the strategies outlined earlier in this chapter, requires the orga-
  1232. nization to recognize the cessation of old ways of work and reinforces the need to use
  1233. the new methods.
  1234. Refreezing: The integration of the new methods into the organizational culture, which
  1235. is accomplished by creating an atmosphere in which the changes are accepted as the
  1236. preferred way of accomplishing the necessary tasks.
  1237. Nontechnical Aspects of Implementation 525
  1238. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  1239. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  1240. ‡ Considerations for Organizational Change
  1241. An organization can take steps to make its employees more amenable to change. These steps
  1242. reduce resistance to change at the beginning of the planning process and encourage members
  1243. of the organization to be more flexible as changes occur.
  1244. Reducing Resistance to Change from the Start The level of resistance to
  1245. change affects the ease with which an organization can implement procedural and mana-
  1246. gerial changes. The more ingrained the existing methods and behaviors are, the more diffi-
  1247. cult it will probably be to make the change. It’s best, therefore, to improve interactions
  1248. between the affected members of the organization and project planners in the early phases
  1249. of an information security improvement project. These interactions can be improved
  1250. through a three-step process in which project managers communicate, educate, and
  1251. involve.
  1252. Communication is the first and most critical step. Project managers must communicate with
  1253. employees so they know a new security process is being considered and that their feedback
  1254. is essential to making it work. You must also constantly update employees on the progress
  1255. of the SecSDLC and provide information on the expected completion dates. This ongoing
  1256. series of updates keeps the process from being a last-minute surprise and primes people to
  1257. accept the change more readily when it finally arrives.
  1258. At the same time, you must update and educate employees about exactly how the pro-
  1259. posed changes will affect them individually and within the organization. While detailed
  1260. information may not be available in earlier stages of a project plan, details that can be
  1261. shared with employees may emerge as the SecSDLC progresses. Education also involves
  1262. teaching employees to use the new systems once they are in place. As discussed earlier,
  1263. this means delivering high-quality training programs at the appropriate times.
  1264. Finally, project managers can reduce resistance to change by involving employees in the
  1265. project plan. This means getting key representatives from user groups to serve as members
  1266. of the SecSDLC development process. In systems development, this process is referred to as
  1267. joint application development, or JAD. Identifying a liaison between IT and information security
  1268. implementers and the organization’s general population can serve the project team well in early
  1269. planning stages, when unforeseen problems with acceptance of the project may need to be
  1270. addressed.
  1271. Developing a Culture That Supports Change An ideal organization fosters
  1272. resilience to change. This means the organization understands that change is a necessary
  1273. part of the culture, and that embracing change is more productive than fighting it. To
  1274. develop such a culture, the organization must successfully accomplish many projects that
  1275. require change. A resilient culture can be either cultivated or undermined by management’s
  1276. approach. Strong management support for change, with a clear executive-level champion,
  1277. enables the organization to recognize the necessity for change and its strategic importance.
  1278. Weak management support, with overly delegated responsibility and no champion, sen-
  1279. tences the project to almost certain failure. In such a case, employees sense the low priority
  1280. assigned to the project and do not communicate with the development team because the
  1281. effort seems useless.
  1282. 526 Chapter 10
  1283. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  1284. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  1285. 10
  1286. For a sample change management and control policy template, visit the ISO27001security.com
  1287. Web page at www.iso27001security.com/ISO27k_Model_policy_on_change_management
  1288. _and_control.docx.
  1289. Information Systems Security Certification
  1290. and Accreditation
  1291. Key Terms
  1292. accreditation The process that authorizes an IT system to process, store, or transmit
  1293. information.
  1294. certification In information security, the comprehensive evaluation of an IT system’s technical
  1295. and nontechnical security controls that establishes the extent to which a particular design and
  1296. implementation meets a set of predefined security requirements, usually in support of an
  1297. accreditation process.
  1298. At first glance, it may seem that only systems for handling secret government data require
  1299. security certification or accreditation. However, organizations are increasingly finding that
  1300. their systems need to have formal mechanisms for verification and validation in order to com-
  1301. ply with recent federal regulations that protect personal privacy.
  1302. ‡ Certification Versus Accreditation
  1303. In security management, accreditation is what authorizes an IT system to process, store,
  1304. or transmit information. It is issued by a management official and is a means of assuring
  1305. that systems are of adequate quality. It also challenges managers and technical staff to
  1306. find the best methods to assure security, given technical constraints, operational con-
  1307. straints, and mission requirements. In the same vein, certification is the evaluation of an
  1308. IT system’s security controls to support the accreditation process. Organizations pursue
  1309. accreditation or certification to gain a competitive advantage or to provide assurance to
  1310. their customers. Federal systems require accreditation under OMB Circular A-130 and
  1311. the Computer Security Act of 1987. Accreditation demonstrates that management has
  1312. identified an acceptable risk level and provided resources to control unacceptable risk
  1313. levels.
  1314. Certification and accreditation (C&A) are not permanent. Just as standards of due diligence
  1315. and due care require ongoing maintenance, most C&A processes typically require reaccredi-
  1316. tation or recertification every three to five years.
  1317. ‡ The NIST Security Life Cycle Approach
  1318. Two documents provide guidance for the certification and accreditation of U.S. information
  1319. systems: SP 800-37, Rev. 1, Guide for Applying the Risk Management Framework to Federal
  1320. Information Systems: A Security Life Cycle Approach; and CNSS Instruction-1000: National
  1321. Information Assurance Certification and Accreditation Process (NIACAP).
  1322. Information Systems Security Certification and Accreditation 527
  1323. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  1324. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  1325. Information processed by the U.S. government is grouped into one of three categories:
  1326. national security information (NSI), non-NSI, and the intelligence community. National secu-
  1327. rity information is processed on national security systems (NSSs), which are managed and
  1328. operated by the Committee on National Security Systems (CNSS). Non-NSSs are managed
  1329. and operated by the National Institute of Standards and Technology (NIST). Intelligence
  1330. community information is a separate category and is handled according to guidance from
  1331. the office of the Director of National Intelligence.
  1332. An NSS is defined as any information system, including any telecommunications system, used
  1333. or operated by an agency, a contractor of any agency, or other organization on behalf of an
  1334. agency, that has the following characteristics:
  1335. Involves intelligence activities
  1336. Involves cryptologic activities related to national security
  1337. Involves command and control of military forces
  1338. Involves equipment that is an integral part of a weapon or weapon system
  1339. Is subject to subparagraph (B) of the Federal Information Security Management Act of
  1340. 2002, is critical to the direct fulfillment of military or intelligence missions, or is pro-
  1341. tected at all times by procedures for information that have been specifically authorized
  1342. under criteria established by an executive order or an act of Congress to be kept clas-
  1343. sified in the interest of national defense or foreign policy.
  1344. Subparagraph (B) states that this criterion “does not include a system that is to be used for
  1345. routine administration and business applications (including payroll, finance, logistics, and
  1346. personnel management applications).” 7
  1347. National security information must be processed on NSSs, which have more stringent
  1348. requirements. NSSs process a mix of NSI and non-NSI and are accredited using CNSS guid-
  1349. ance. Non-NSS systems follow NIST guidance. More than 20 major government agencies
  1350. store, process, or transmit NSI, and many of them have both NSSs and systems that are not
  1351. rated as NSSs. You can learn more about the CNSS community and how NSSs are managed
  1352. and operated at www.cnss.gov.
  1353. In recent years, the Joint Task Force Transformation Initiative Working Group of the U.S.
  1354. government and NIST have worked to overhaul the formal C&A program for non-NSI sys-
  1355. tems. The program has been modified from a separate C&A process into an integrated Risk
  1356. Management Framework (RMF), which can be used for normal operations and still provide
  1357. assurance that the systems are capable of reliably housing confidential information. NIST SP
  1358. 800-37, Rev. 1, provides a detailed description of the new RMF process. The following sec-
  1359. tion is adapted from this document.
  1360. The revised process emphasizes: (i) building information security capabilities into
  1361. federal information systems through the application of state-of-the-practice man-
  1362. agement, operational, and technical security controls; (ii) maintaining awareness
  1363. of the security state of information systems on an ongoing basis through
  1364. enhanced monitoring processes; and (iii) providing essential information to senior
  1365. leaders to facilitate decisions regarding the acceptance of risk to organizational
  1366. operations and assets, individuals, other organizations, and the nation arising
  1367. from the operation and use of information systems.
  1368. 528 Chapter 10
  1369. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  1370. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  1371. 10
  1372. … The risk management process described in this publication changes the tradi-
  1373. tional focus of C&A as a static, procedural activity to a more dynamic approach
  1374. that provides the capability to more effectively manage information system-
  1375. related security risks in highly diverse environments of complex and sophisticated
  1376. cyber threats, ever-increasing system vulnerabilities, and rapidly changing
  1377. missions.
  1378. … The guidelines in SP 800-37, Rev. 1 are applicable to all federal information
  1379. systems other than those systems designated as national security systems as
  1380. defined in 44 U.S.C., Section 3542. 8
  1381. Risk management is the subject of Chapter 5, but because the U.S. government is replacing
  1382. the old C&A process with a formal RMF, that framework is briefly described here. As
  1383. the reference for its RMF, SP 800-37, Rev. 1 specifically refers to NIST SP 800-39, a new
  1384. publication titled Integrated Enterprise-Wide Risk Management: Organization, Mission and
  1385. Information Systems View. The NIST RMF builds on a three-tiered approach to risk
  1386. management that addresses risk-related concerns at the organization level, the mission and
  1387. business process level, and the information system level, as illustrated in Figure 10-4.
  1388. Tier 1 addresses risk from an organizational perspective with the development of
  1389. a comprehensive governance structure and organization-wide risk management
  1390. strategy …
  1391. Tier 2 addresses risk from a mission and business process perspective and is
  1392. guided by the risk decisions at Tier 1. Tier 2 activities are closely associated
  1393. with enterprise architecture …
  1394. Tier 3 addresses risk from an information system perspective and is guided by
  1395. the risk decisions at Tiers 1 and 2. Risk decisions at Tiers 1 and 2 impact the
  1396. ultimate selection and deployment of needed safeguards and countermeasures
  1397. (i.e., security controls) at the information system level. Information security
  1398. Tier 1
  1399. Organization
  1400. (Governance)
  1401. Strategic Risk
  1402. Tactical Risk
  1403. Tier 2
  1404. Mission/Business Process
  1405. (Information and Information Flows)
  1406. Tier 3
  1407. Information System
  1408. (Environment of Operation)
  1409. - Multitier Organization-Wide Risk Management
  1410. - Implemented by the Risk Executive (Function)
  1411. - Tightly coupled to Enterprise Architecture
  1412. and Information Security Architecture
  1413. - System Development Life Cycle Focus
  1414. - Disciplined and Structured Process
  1415. - Flexible and Agile Implementation
  1416. Figure 10-4 Tiered Risk Management Framework
  1417. © Cengage Learning 2015
  1418. Information Systems Security Certification and Accreditation 529
  1419. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  1420. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  1421. requirements are satisfied by the selection of appropriate management, opera-
  1422. tional, and technical security controls from NIST Special Publication 800-53.
  1423. The Risk Management Framework (RMF), which is illustrated in Figure 10-5,
  1424. provides a disciplined and structured process that integrates information security
  1425. and risk management activities into the system development life cycle. The RMF
  1426. operates primarily at Tier 3 in the risk management hierarchy but can also have
  1427. interactions at Tiers 1 and 2 (e.g., providing feedback from ongoing authoriza-
  1428. tion decisions to the risk executive [function], dissemination of updated threat
  1429. and risk information to authorizing officials and information system owners).
  1430. The RMF steps include:
  1431. Categorize the information system and the information processed, stored,
  1432. and transmitted by that system based on an impact analysis.
  1433. Select an initial set of baseline security controls for the information system
  1434. based on the security categorization; tailoring and supplementing the secu-
  1435. rity control baseline as needed based on an organizational assessment of
  1436. risk and local conditions.
  1437. Categorize
  1438. Information System
  1439. Step 1
  1440. Select
  1441. Security Controls
  1442. Step 2
  1443. Implement
  1444. Security Controls
  1445. Step 3
  1446. Monitor
  1447. Security Controls
  1448. Step 6
  1449. Authorize
  1450. Information System
  1451. Step 5
  1452. Assess
  1453. Security Controls
  1454. Step 4
  1455. Process
  1456. Overview
  1457. Starting
  1458. Point
  1459. Organizational Inputs
  1460. Laws, Directives, Policy Guidance
  1461. Strategic Goals and Objectives
  1462. Priorities and Resource Availability
  1463. Supply Chain Considerations
  1464. Architecture Description
  1465. Architecture Reference Models
  1466. Segment and Solution Architectures
  1467. Mission and Business Processes
  1468. Information System Boundaries
  1469. Risk
  1470. Management
  1471. Framework
  1472. Repeat as necessary
  1473. Figure 10-5 Risk Management Framework
  1474. © Cengage Learning 2015
  1475. 530 Chapter 10
  1476. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  1477. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  1478. 10
  1479. Implement the security controls and describe how the controls are
  1480. employed within the information system and its environment of
  1481. operation.
  1482. Assess the security controls using appropriate assessment procedures to
  1483. determine the extent to which the controls are implemented correctly,
  1484. operating as intended, and producing the desired outcome with respect to
  1485. meeting the security requirements for the system.
  1486. Authorize information system operation based on a determination of the
  1487. risk to organizational operations and assets, individuals, other organiza-
  1488. tions, and the nation resulting from the operation of the information sys-
  1489. tem and the decision that this risk is acceptable.
  1490. Monitor the security controls in the information system on an ongoing
  1491. basis, including assessing control effectiveness, documenting changes to the
  1492. system or its environment of operation, conducting security impact analy-
  1493. ses of the associated changes, and reporting the security state of the system
  1494. to designated organizational officials. 9
  1495. With regard to using the RMF:
  1496. The organization has significant flexibility in deciding which families of security
  1497. controls or specific controls from selected families in NIST Special Publication
  1498. 800-53 are appropriate for the different types of allocations. Since the security
  1499. control allocation process involves the assignment and provision of security
  1500. capabilities derived from security controls, the organization ensures that there
  1501. is effective communication among all entities either receiving or providing such
  1502. capabilities. This communication includes, for example, ensuring that common
  1503. control authorization results and continuous monitoring information are read-
  1504. ily available to those organizational entities inheriting common controls, and
  1505. that any changes to common controls are effectively communicated to those
  1506. affected by such changes. [Figure 10-6] illustrates security control allocation
  1507. within an organization and using the RMF to produce information for senior
  1508. leaders (including authorizing officials) on the ongoing security state of organi-
  1509. zational information systems and the missions and business processes supported
  1510. by those systems. 10
  1511. Chapter 3 of SP 800-37, Rev. 1, provides detailed guidance for implementing the RMF,
  1512. including information on primary responsibility, supporting roles, the system development
  1513. life cycle phase, supplemental guidance, and references. An overview of the tasks involved is
  1514. shown in Table 10-2.
  1515. Why is it important that you know this information? Your organization may someday want
  1516. to become a government contractor, if it isn’t already. These guidelines apply to all systems
  1517. that connect to U.S. government entities not identified as national security systems or as con-
  1518. taining national security information.
  1519. For more information on these and related NIST Special Publications, visit the CSRC Web Site at
  1520. http://csrc.nist.gov/publications/PubsSPs.html.
  1521. Information Systems Security Certification and Accreditation 531
  1522. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  1523. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  1524. ‡ NSTISS Certification and Accreditation
  1525. National security interest systems have their own security C&A standards, which also follow
  1526. the guidance of OMB Circular A-130. CNSS, formerly known as the National Security Tele-
  1527. communications and Information Systems Security Committee (NSTISSC), has a C&A docu-
  1528. ment titled NSTISS Instruction 1000: National Information Assurance Certification and
  1529. Accreditation Process (NIACAP). The following section contains excerpts from this docu-
  1530. ment and provides an overview of the purpose and process of this C&A program.
  1531. 1. The document establishes the minimum national standards for certifying and accrediting
  1532. national security systems. This process provides a standard set of activities, general
  1533. tasks, and a management structure to certify and accredit systems that will maintain
  1534. the information assurance (IA) and security posture of a system or site. This process
  1535. Information
  1536. System
  1537. System-specific
  1538. Controls
  1539. Information
  1540. System
  1541. Security
  1542. Plan
  1543. Core Missions/Business Processes
  1544. Security Requirements
  1545. Policy Guidance
  1546. Risk Executive Function
  1547. Organization-Wide Risk Governance and Oversight
  1548. Common Controls
  1549. Security Controls Inherited by Organizational Information Systems
  1550. Authorization Decision
  1551. Authorization Decision
  1552. Risk
  1553. Management
  1554. Framework
  1555. (RMF)
  1556. Security
  1557. Assessment
  1558. Report
  1559. Plan of Action
  1560. and Milestones
  1561. Security
  1562. Plan
  1563. Security
  1564. Plan
  1565. Security
  1566. Assessment
  1567. Report
  1568. Security
  1569. Assessment
  1570. Report
  1571. Authorization Decision
  1572. Plan of Action
  1573. and Milestones
  1574. Plan of Action
  1575. and Milestones
  1576. System-specific
  1577. Controls
  1578. Hybrid Controls
  1579. Hybrid Controls
  1580. Figure 10-6 Security control allocation from NIST SP 800-37, Rev. 1
  1581. © Cengage Learning 2015
  1582. 532 Chapter 10
  1583. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  1584. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  1585. 10
  1586. RMF Step 1—Categorize Information System
  1587. 1-1 (Security Categorization): Categorize the information system and document the results of the security
  1588. categorization in the security plan.
  1589. 1-2 (Information System Description): Describe the information system, including the system boundary, and
  1590. document the description in the security plan.
  1591. 1-3 (Information System Registration): Register the information system with appropriate organizational program/
  1592. management offices.
  1593. Milestone Checkpoint for RMF Step 1:
  1594. Has the organization completed a security categorization of the information system, including the
  1595. information to be processed, stored, and transmitted by the system?
  1596. Are the results of the security categorization process for the information system consistent with the organization’s
  1597. enterprise architecture and commitment to protecting organizational mission/business processes?
  1598. Do the results of the security categorization process reflect the organization’s risk management strategy? Has
  1599. the organization adequately described the characteristics of the information system?
  1600. Has the organization registered the information system for purposes of management, accountability,
  1601. coordination, and oversight?
  1602. RMF Step 2—Select Security Controls
  1603. 2-1 (Common Control Identification): Identify the security controls provided by the organization as common controls
  1604. for organizational information systems and document the controls in a security plan or equivalent document.
  1605. 2-2 (Security Control Selection): Select the security controls for the information system and document the controls
  1606. in the security plan.
  1607. 2-3 (Monitoring Strategy): Develop a strategy for the continuous monitoring of security control effectiveness and
  1608. any proposed or actual changes to the information system and its environment of operation.
  1609. 2-4 (Security Plan Approval): Review and approve the security plan.
  1610. Milestone Checkpoint for RMF Step 2:
  1611. Has the organization allocated all security controls to the information system as system-specific, hybrid, or
  1612. common controls?
  1613. Has the organization used its formal or informal risk assessment to inform and guide the security control
  1614. selection process?
  1615. Has the organization identified authorizing officials for the information system and all common controls
  1616. inherited by the system?
  1617. Has the organization tailored and supplemented the baseline security controls to ensure that the controls, if
  1618. implemented, adequately mitigate risks to the organization’s operations and assets, individual employees,
  1619. other organizations, and the nation?
  1620. Has the organization addressed minimum assurance requirements for the security controls employed within
  1621. the information system and inherited by it?
  1622. Has the organization consulted information system owners when identifying common controls to ensure that
  1623. the security capability provided by the inherited controls is sufficient to deliver adequate protection?
  1624. Has the organization supplemented the common controls with system-specific or hybrid controls when the
  1625. security baselines of the common controls are less than those of the information system inheriting the controls?
  1626. Has the organization documented the common controls inherited from external providers?
  1627. Has the organization developed a continuous monitoring strategy for the information system, including monitoring
  1628. of security control effectiveness for system-specific, hybrid, and common controls, that reflects the organization’s risk
  1629. management strategy and commitment to protecting critical missions and business functions?
  1630. Have appropriate organizational officials approved security plans containing system-specific, hybrid, and
  1631. common controls?
  1632. RMF Step 3—Implement Security Controls
  1633. 3-1 (Security Control Implementation): Implement the security controls specified in the security plan.
  1634. 3-2 (Security Control Documentation): Document the security control implementation as appropriate in the security
  1635. plan; provide a functional description of the control implementation, including planned inputs, expected
  1636. behavior, and expected outputs.
  1637. Table 10-2 Executing the Risk Management Framework Tasks (continues)
  1638. Information Systems Security Certification and Accreditation 533
  1639. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  1640. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  1641. Milestone Checkpoint for RMF Step 3:
  1642. Has the organization allocated security controls as system-specific, hybrid, or common controls consistent with
  1643. the enterprise architecture and information security architecture?
  1644. Has the organization demonstrated the use of sound information system and security engineering
  1645. methodologies in integrating information technology products into the information system and in
  1646. implementing the security controls contained in the security plan?
  1647. Has the organization documented how common controls inherited by organizational information systems
  1648. have been implemented?
  1649. Has the organization documented how system-specific and hybrid security controls have been implemented
  1650. within the information system, taking into account specific technologies and platform dependencies?
  1651. Has the organization taken into account the minimum assurance requirements when implementing security
  1652. controls?
  1653. RMF Step 4—Assess Security Controls
  1654. 4-1 (Assessment Preparation): Develop, review, and approve a plan to assess the security controls.
  1655. 4-2 (Security Control Assessment): Assess the security controls in accordance with the assessment procedures
  1656. defined in the security assessment plan.
  1657. 4-3 (Security Assessment Report): Prepare the security assessment report, which documents the issues, findings,
  1658. and recommendations from the security control assessment.
  1659. 4-4 (Remediation Actions): Conduct initial remediation actions on security controls based on the findings and
  1660. recommendations of the security assessment report and reassess remediated control(s), as appropriate.
  1661. Milestone Checkpoint for RMF Step 4:
  1662. Has the organization developed a comprehensive plan to assess the security controls employed within the
  1663. information system or inherited by it?
  1664. Was the assessment plan reviewed and approved by appropriate organizational officials?
  1665. Has the organization considered the appropriate level of assessor independence for the security control
  1666. assessment?
  1667. Has the organization provided all of the essential supporting materials needed by the assessor(s) to conduct
  1668. an effective security control assessment?
  1669. Has the organization examined opportunities for reusing assessment results from previous assessments or
  1670. from other sources?
  1671. Did the assessor(s) complete the security control assessment in accordance with the stated assessment plan?
  1672. Did the organization receive the completed security assessment report with appropriate findings and
  1673. recommendations from the assessor(s)?
  1674. Did the organization take the necessary remediation actions to address the most important weaknesses and
  1675. deficiencies in the information system and its environment of operation, based on the findings and
  1676. recommendations in the security assessment report?
  1677. Did the organization update appropriate security plans based on the findings and recommendations in the
  1678. security assessment report and any subsequent changes to the information system and its environment of
  1679. operation?
  1680. RMF Step 5—Authorize Information System
  1681. 5-1 (Plan of Action and Milestones): Prepare the plan of action and milestones based on the findings and recom-
  1682. mendations of the security assessment report, excluding any remediation actions taken.
  1683. 5-2 (Security Authorization Package): Assemble the security authorization package and submit it to the
  1684. authorizing official for adjudication.
  1685. 5-3 (Risk Determination): Determine the risk to the organization’s operations (including mission, functions, image,
  1686. or reputation), organizational assets, individual employees, other organizations, or the nation.
  1687. 5-4 (Risk Acceptance): Determine if the risk to the organization’s operations, organizational assets, individual
  1688. employees, other organizations, or the nation is acceptable.
  1689. Table 10-2 Executing the Risk Management Framework Tasks
  1690. Source: NIST SP 800-37, Rev. 1.
  1691. 534 Chapter 10
  1692. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  1693. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  1694. 10
  1695. focuses on an enterprise-wide view of the information system (IS) in relation to the orga-
  1696. nization’s mission and the IS business case.
  1697. 2. The NIACAP is designed to certify that the IS meets documented accreditation require-
  1698. ments and will continue to maintain the accredited security posture throughout the sys-
  1699. tem life cycle.
  1700. The key to the NIACAP is the agreement between the IS program manager, designated
  1701. approving authority (DAA), certification agent (certifier), and user representative. These par-
  1702. ties resolve critical schedule, budget, security, functionality, and performance issues.
  1703. The NIACAP agreements are documented in the system security authorization agreement
  1704. (SSAA), which is used to guide and document the results of the C&A process. The objective
  1705. is to use the SSAA to establish an evolving yet binding agreement on the level of security
  1706. required before system development begins or changes are made to a system. After accredita-
  1707. tion, the SSAA becomes the baseline security configuration document.
  1708. The minimum NIACAP roles include the program manager, DAA, certifier, and user repre-
  1709. sentative. Additional roles may be added to increase the integrity and objectivity of C&A
  1710. decisions. For example, the information systems security officer (ISSO) usually performs a
  1711. key role in maintaining the security posture after accreditation and may also play a key role
  1712. in the system C&A.
  1713. The SSAA:
  1714. Describes the operating environment and threat
  1715. Describes the system security architecture
  1716. Establishes the C&A boundary of the system to be accredited
  1717. Documents the formal agreement among the DAA(s), certifier, program manager, and
  1718. user representative
  1719. Documents all requirements necessary for accreditation
  1720. Minimizes documentation requirements by consolidating applicable information into
  1721. the SSAA; this information includes the security policy, concept of operations, archi-
  1722. tecture description, and test procedures
  1723. Documents the NIACAP plan
  1724. Documents test plans and procedures, certification results, and residual risk
  1725. Forms the baseline security configuration document
  1726. The NIACAP is composed of four phases, as shown from several perspectives in Figures 10-7
  1727. to 10-11. These phases are definition, verification, validation, and post accreditation.
  1728. Phase 1, definition, determines the necessary security measures and effort level to achieve cer-
  1729. tification and accreditation. The objective of Phase 1 is to agree on the security requirements,
  1730. C&A boundary, schedule, level of effort, and resources required.
  1731. Phase 2, verification, verifies the evolving or modified system’s compliance with the informa-
  1732. tion in the SSAA. The objective of Phase 2 is to ensure that the fully integrated system is
  1733. ready for certification testing.
  1734. Information Systems Security Certification and Accreditation 535
  1735. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  1736. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  1737. Maintain
  1738. SSAA
  1739. SSAA
  1740. Change
  1741. Management
  1742. (CM) and Change
  1743. Control
  1744. Security
  1745. Operations
  1746. Operate the
  1747. System
  1748. Phase 4
  1749. Post Accreditation
  1750. Phase 1
  1751. Definition
  1752. Phase 2
  1753. Verification
  1754. Phase 3
  1755. Validation
  1756. Determine
  1757. Requirements
  1758. Define Boundaries
  1759. Tailor the Process
  1760. & Scope the Effort
  1761. Draft the SSAA
  1762. Document
  1763. Results
  1764. Evaluate Procedural,
  1765. Physical, Personnel, CM,
  1766. etc. Procedures
  1767. Test Installed
  1768. System
  1769. Document
  1770. Results
  1771. Initial
  1772. Certification
  1773. Analysis
  1774. System
  1775. Development
  1776. Activities
  1777. Figure 10-7 Overview of the NIACAP process
  1778. Source: NSTISSI-1000.
  1779. Preparation
  1780. Inputs Activities
  1781. 1. Review
  1782. Documentation
  1783. Registration
  1784. A
  1785. Negotiation
  1786. 2. Prepare Mission Description
  1787. and System Identification
  1788. 3. Register System
  1789. 4. Describe Environment
  1790. and Threat
  1791. 5. Describe System
  1792. Architecture
  1793. 6. Determine Security
  1794. Requirements
  1795. 7. Identify Organization
  1796. and Resources
  1797. 8. Tailor NIACAP and
  1798. Plan Work
  1799. 9. Draft SSAA
  1800. 10. Certifications
  1801. Requirements Review
  1802. 11. Agree on Level of
  1803. Effort and Schedule
  1804. 12. Approve Phase 1
  1805. SSAA
  1806. Task
  1807. Agreement? SSAA
  1808. Phase 2,
  1809. Verification
  1810. Yes No
  1811. Business Case or
  1812. Mission Need,
  1813. Threat, Systems Docs.,
  1814. Requirements, etc.
  1815. Figure 10-8 NIACAP Phase 1, Definition
  1816. Source: NSTISSI-1000.
  1817. 536 Chapter 10
  1818. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  1819. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  1820. 10
  1821. SSAA from Phase 1,
  1822. Systems Documents,
  1823. Configuration Control
  1824. Plans, etc.
  1825. Systems Activities—
  1826. Integration or
  1827. Development
  1828. Inputs Activities
  1829. Initial
  1830. Certification
  1831. Analysis
  1832. 1. System Architecture
  1833. 2. Software Design
  1834. 3. Network Connection(s)
  1835. 4. Integrity of Integrated products
  1836. 5. Life Cycle Management
  1837. 6. Prepare Security Requirements
  1838. Validation Procedures
  1839. 7. Vulnerability Evaluation
  1840. Task
  1841. Pass?
  1842. Updated
  1843. SSAA
  1844. Phase 3,
  1845. Validation
  1846. Yes
  1847. No
  1848. Ready for
  1849. Phase 3?
  1850. A
  1851. Reanalyze Revise
  1852. Yes
  1853. No
  1854. Life Cycle Activity (1 to n)
  1855. Figure 10-9 NIACAP Phase 2, Verification
  1856. Source: NSTISSI-1000.
  1857. SSAA from Phase 2,
  1858. Test Procedures
  1859. and Site Information
  1860. Certification
  1861. Evaluation of
  1862. Integrated System
  1863. Inputs Activities
  1864. 1. Security Test and Evaluation
  1865. 2. Penetration Testing
  1866. 3. TEMPEST Evaluation
  1867. 4. COMSEC Evaluation
  1868. 5. System Management Analysis
  1869. 6. Site Evaluation
  1870. 7. Contingency Plan Evaluation
  1871. 8. Risk Management Review
  1872. Task
  1873. Updated
  1874. SSAA
  1875. Phase 4, Post
  1876. Accreditation
  1877. Yes
  1878. Accreditation
  1879. Granted?
  1880. A
  1881. Yes
  1882. No
  1883. Certify
  1884. System?
  1885. Develop
  1886. Recommendation
  1887. A
  1888. No
  1889. Figure 10-10 NIACAP Phase 3, Validation
  1890. Source: NSTISSI-1000.
  1891. Information Systems Security Certification and Accreditation 537
  1892. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  1893. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  1894. Phase 3, validation, validates compliance of the fully integrated system with the security
  1895. policy and requirements stated in the SSAA. The objective of Phase 3 is to produce the
  1896. required evidence to support the DAA in making an informed decision to grant approval
  1897. to operate the system. This approval is either accreditation or an interim approval to
  1898. operate (IATO).
  1899. For more information on the NIACAP process, visit the FISMA Web site at www.fismacenter.com
  1900. /nstissi_1000.pdf.
  1901. Phase 4, post accreditation, starts after the system has been certified and accredited for opera-
  1902. tions. Phase 4 includes activities necessary for the continuing operation of the accredited IS
  1903. and manages the changing threats and small-scale changes a system faces through its life
  1904. cycle. The objective of Phase 4 is to ensure that secure system management, operation, and
  1905. maintenance sustain an acceptable level of residual risk.
  1906. The accreditation process itself is so complex that professional certifiers must be trained.
  1907. The CNSS has a set of training standards for federal information technology workers
  1908. who deal with information security. One of these documents, NSTISSI-4015, provides a
  1909. SSAA from Phase 3,
  1910. Test Procedures, and
  1911. Site Information
  1912. Inputs Activities
  1913. 1. SSAA Maintenance
  1914. 2. Physical, Personnel, and
  1915. Management Control Review
  1916. 3. TEMPEST Evaluation
  1917. 4. COMSEC Evaluation
  1918. 5. Contingency Plan Maintenance
  1919. 6. Change Management
  1920. 7. System Security Management
  1921. 8. Risk Management Review
  1922. Task
  1923. Phase 1,
  1924. Definition
  1925. No
  1926. Change
  1927. Requested or
  1928. Required?
  1929. Yes
  1930. Validation
  1931. Required?
  1932. A
  1933. Yes
  1934. Compliance
  1935. Validation
  1936. No
  1937. Security Operations
  1938. System Operations
  1939. 9. Site and Physical Security Validation
  1940. 10. Security Procedures Validation
  1941. 11. System Changes and Related
  1942. Impact Validation
  1943. 12. System Architecture and System
  1944. Interfaces Validation
  1945. 13. Management Procedures Validation
  1946. 14. Risk Decisions Validation
  1947. Figure 10-11 NIACAP Phase 4, Post Accreditation
  1948. Source: NSTISSI-1000.
  1949. 538 Chapter 10
  1950. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  1951. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  1952. 10
  1953. national training standard for systems certifiers (see www.ecs.csus.edu/csc/iac/
  1954. nstissi_4015.pdf).
  1955. A qualified systems certifier must be formally trained in the fundamentals of information
  1956. security and have field experience. Systems certifiers should have system administrator and/
  1957. or basic ISSO experience, and be familiar with the knowledge, skills, and abilities required
  1958. of the DAA, as illustrated in NSTISSI-4015. Once professionals complete training based on
  1959. NSTISSI-4015, which includes material from NSTISSI-1000, they are eligible to be a federal
  1960. agency systems certifier. Note that NSTISSI-1000 is currently under revision; an updated ver-
  1961. sion could be available within the next few years.
  1962. ‡ ISO 27001/27002 Systems Certification and Accreditation
  1963. Many larger organizations outside the United States apply the standards provided under the
  1964. International Standards Organization, standards ISO 27001 and 27002, as discussed in
  1965. Chapter 4. Recall that the standards were originally created to provide a foundation for Brit-
  1966. ish certification of information security management systems (ISMSs). Organizations that
  1967. want to demonstrate their systems have met this international standard must follow the certi-
  1968. fication process, which includes the following phases:
  1969. The first phase of the process involves your company preparing and getting
  1970. ready for the certification of your ISMS: developing and implementing your
  1971. ISMS, using and integrating your ISMS into your day-to-day business pro-
  1972. cesses, training your staff, and establishing an ongoing program of ISMS
  1973. maintenance.
  1974. The second phase involves employing one of the accredited certification bodies to
  1975. carry out an audit of your ISMS.
  1976. The certificate that is awarded will last for three years, after which the ISMS
  1977. needs to be recertified. Therefore, there is a third phase of the process (assuming
  1978. the certification has been successful and a certificate has been issued), which
  1979. involves the certification body visiting your ISMS site on a regular basis (e.g.,
  1980. every 6–9 months) to carry out a surveillance audit. 11
  1981. Figure 10-12 shows the process flow of ISMS certification and accreditation.
  1982. Information Systems Security Certification and Accreditation 539
  1983. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  1984. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  1985. Pass ?
  1986. Yes
  1987. No
  1988. Controls and guidance
  1989. from ISO 17799 plus
  1990. controls not in ISO 17799
  1991. Company
  1992. approach to risk
  1993. management
  1994. Identify main threats,
  1995. risks, impacts, and
  1996. vulnerabilities
  1997. Company decides
  1998. to implement ISO
  1999. 27001
  2000. Management
  2001. commitment, assign
  2002. project responsibilities
  2003. Define information
  2004. security policy
  2005. Boundary of ISMS
  2006. Framework
  2007. Processes Inputs Deliverables
  2008. Define scope of
  2009. ISMS
  2010. Perform RA for
  2011. scope of ISMS
  2012. Decide how to
  2013. manage risks
  2014. identified
  2015. Select objectives
  2016. and controls to be
  2017. implemented
  2018. Implement
  2019. controls
  2020. Get ready for and
  2021. undergo
  2022. certification
  2023. Take corrective
  2024. action
  2025. Certificate granted
  2026. Deliver policy
  2027. document
  2028. Deliver ISMS
  2029. scope document
  2030. Produce RA
  2031. document
  2032. Agree to and document
  2033. accountabilities and
  2034. responsibilities
  2035. Prepare SOA
  2036. Figure 10-12 ISMS certification and accreditation 12
  2037. © Cengage Learning 2015
  2038. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  2039. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  2040. Selected Readings
  2041. Information Technology Project Management, Fifth Edition, by Kathy Schwalbe.
  2042. Course Technology. 2007. Boston.
  2043. The PMI Project Management Fact Book, Second Edition, by the Project Management
  2044. Institute. 2001. Newtown Square, PA.
  2045. NIST SP 800-37, Rev. 1, Guide for Applying the Risk Management Framework to
  2046. Federal Information Systems: A Security Life Cycle Approach.
  2047. NIST DRAFT SP 800-39, Managing Risk from Information Systems: An Organizational
  2048. Perspective.
  2049. Chapter Summary
  2050. ■ The implementation phase of the security systems development life cycle involves
  2051. modifying the configuration and operation of the organization’s information systems
  2052. to make them more secure. Such changes include those to procedures, people, hard-
  2053. ware, software, and data.
  2054. ■ During the implementation phase, the organization translates its blueprint for infor-
  2055. mation security into a concrete project plan.
  2056. ■ Before developing a project plan, management should articulate and coordinate the
  2057. organization’s information security vision and objectives with the involved communi-
  2058. ties of interest.
  2059. ■ The major steps in executing the project plan are planning the project, supervising
  2060. tasks and action steps within the plan, and wrapping up the plan.
  2061. ■ Each organization determines its own project management methodology for IT and
  2062. information security projects. Whenever possible, an organization’s information
  2063. security projects should be in line with its project management practices.
  2064. ■ Planning for the implementation phase involves the creation of a detailed project plan.
  2065. The project plan can be created by using a simple planning tool such as the work
  2066. breakdown structure (WBS). The plan can be prepared with a simple desktop PC
  2067. spreadsheet program or with more complex project management software. The WBS
  2068. involves addressing major project tasks and their related attributes, including the
  2069. following:
  2070. ■ Work to be accomplished (activities and deliverables)
  2071. ■ Individual employees or skill sets assigned to perform the task
  2072. ■ Start and end dates for the task, when known
  2073. ■ Amount of effort required for completion, in hours or days
  2074. ■ Estimated capital expenses for the task
  2075. ■ Estimated noncapital expenses for the task
  2076. ■ Identification of task interdependencies
  2077. 10
  2078. Chapter Summary 541
  2079. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  2080. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  2081. ■ Constraints and considerations should be addressed when developing the project plan,
  2082. including financial, procurement, priority, time and scheduling, staffing, scope, organi-
  2083. zational feasibility, training and indoctrination, change control, and technology gover-
  2084. nance considerations.
  2085. ■ Organizations usually designate a professional project manager to lead a security
  2086. information project. Alternatively, some organizations designate a champion from a
  2087. senior level of general management or a senior IT manager, such as the CIO.
  2088. ■ Once a project is under way, it can be managed to completion using a process known
  2089. as a negative feedback loop or cybernetic loop. This process involves measuring var-
  2090. iances from the project plan and then taking corrective action when needed.
  2091. ■ As the components of the new security system are planned, provisions must be
  2092. made for the changeover from the previous method of performing a task to the new
  2093. method(s). The four common conversion strategies for performing this changeover are:
  2094. ■ Direct changeover
  2095. ■ Phased implementation
  2096. ■ Pilot implementation
  2097. ■ Parallel operations
  2098. ■ The bull’s-eye model is a proven method for prioritizing a program of complex
  2099. change. Using this method, the project manager can address issues from the general to
  2100. the specific and focus on systematic solutions instead of individual problems.
  2101. ■ When the expense and time required to develop an effective information security pro-
  2102. gram is beyond the reach of an organization, it should outsource the program to com-
  2103. petent professional services.
  2104. ■ Technology governance is a complex process that an organizationuses to manage the
  2105. impacts and costs of technology implementation, innovation, and obsolescence.
  2106. ■ The change control process is a method that medium-sized and large organizations use
  2107. to deal with the impact of technical change on their operations.
  2108. ■ As with any project, certain aspects of change must be addressed. In any major proj-
  2109. ect, the prospect of moving from the familiar to the unfamiliar can cause employees to
  2110. resist change, consciously or unconsciously.
  2111. ■ Implementing and securing information systems often requires external certification or
  2112. accreditation.
  2113. ■ Accreditation is the authorization of an IT system to process, store, or transmit infor-
  2114. mation. This authorization is issued by a management official to assure that systems
  2115. are of adequate quality.
  2116. ■ Certification is a comprehensive evaluation of an IT system’s technical and nontechni-
  2117. cal security controls to validate an accreditation process.
  2118. ■ A variety of accreditation and certification processes are used globally, including the
  2119. U.S. federal agency system and the ISO 27001 and 27002 standards.
  2120. 542 Chapter 10
  2121. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  2122. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  2123. 10
  2124. Review Questions
  2125. 1. What is a project plan? List what a project plan can accomplish.
  2126. 2. What is the value of a statement of vision and objectives? Why is it needed before a
  2127. project plan is developed?
  2128. 3. What categories of constraints to project plan implementation are noted in the chap-
  2129. ter? Explain each of them.
  2130. 4. List and describe the three major steps in executing the project plan.
  2131. 5. What is a work breakdown structure (WBS)? Is it the only way to organize a project
  2132. plan?
  2133. 6. What is projectitis? How is it cured or its impact minimized?
  2134. 7. List and define the common attributes of tasks within a WBS.
  2135. 8. How does a planner know when a task has been subdivided to an adequate degree and
  2136. can be classified as an action step?
  2137. 9. What is a deliverable? Name two uses for deliverables.
  2138. 10. What is a resource? What are the two types?
  2139. 11. Why is it a good practice to delay naming specific people as resources early in the
  2140. planning process?
  2141. 12. What is a milestone, and why is it significant to project planning?
  2142. 13. Why is it good practice to assign start and end dates sparingly in the early stages of
  2143. project planning?
  2144. 14. Who is the best judge of effort estimates for project tasks and action steps? Why?
  2145. 15. Within project management, what is a dependency? What is a predecessor? What is a
  2146. successor?
  2147. 16. What is a negative feedback loop? How is it used to keep a project in control?
  2148. 17. When a task is not being completed according to the plan, what two circumstances are
  2149. likely to be involved?
  2150. 18. List and describe the four basic conversion strategies that are used when converting to
  2151. a new system. Under which circumstances is each strategy the best approach?
  2152. 19. What is technology governance? What is change control? How are they related?
  2153. 20. What are certification and accreditation when applied to information systems security
  2154. management? List and describe at least two certification or accreditation processes.
  2155. Review Questions 543
  2156. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  2157. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  2158. Exercises
  2159. 1. Create a first draft of a WBS from the following scenario. Make assumptions as needed
  2160. based on the section about project planning considerations and constraints in this chap-
  2161. ter. In your WBS, describe the skill sets required for the tasks you have planned.
  2162. Sequential Label and Supply has a problem with employees surfing the Web to
  2163. access material the company deems inappropriate for a professional environment.
  2164. Therefore, SLS wants to insert a filtering device in the company Internet connec-
  2165. tion that blocks certain Web locations and content. According to the vendor, the
  2166. filter is a hardware appliance that costs $18,000 and requires 150 hours to
  2167. install and configure. Technical support for the filter costs 18 percent of the pur-
  2168. chase price and includes a training allowance for the year. A software component
  2169. that runs on the administrator’s desktop computer is needed to administer the fil-
  2170. ter; this component costs $550. A monthly subscription provides the list of sites
  2171. to be blocked and costs $250 per month. An estimated four hours per week are
  2172. required for administrative functions.
  2173. 2. If you have access to commercial project management software, such as Microsoft
  2174. Project, use it to complete a project plan based on the data shown in Table 10-2. Pre-
  2175. pare a simple WBS report or Gantt chart that shows your work.
  2176. 3. Write a job description for Kelvin Urich, the project manager described in the opening
  2177. vignette of this chapter. Be sure to identify key characteristics of the ideal candidate, as
  2178. well as work experience and educational background. Also, justify why your job
  2179. description is suitable for potential candidates of this position.
  2180. 4. Search the Web for job descriptions of project managers. You can use any number of
  2181. Web sites, including www.monster.com or www.dice.com, to find at least 10 IT-
  2182. related job descriptions. What common elements do you find among the job descrip-
  2183. tions? What is the most unusual characteristic among them?
  2184. Case Exercises
  2185. Charlie looked across his desk at Kelvin, who was absorbed in the sheaf of handwritten notes
  2186. from the meeting. Charlie had asked Kelvin to come to his office and discuss the change con-
  2187. trol meeting from earlier that day.
  2188. “So what do you think?” Charlie asked.
  2189. “I think I was blindsided by a bus!” Kelvin replied. “I thought I had considered all the possi-
  2190. ble effects of the change in my project plan. I tried to explain this, but everyone acted as if I
  2191. had threatened their lives.”
  2192. “In a way you did, or rather you threatened their jobs,” Charlie stated. “Some people believe
  2193. that change is the enemy.”
  2194. 544 Chapter 10
  2195. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  2196. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  2197. 10
  2198. “But these changes are important.”
  2199. “I agree,” Charlie said. “But successful change usually occurs in small steps. What’s your top
  2200. priority?”
  2201. “All the items on this list are top priorities,” Kelvin said. “I haven’t even gotten to the second
  2202. tier.”
  2203. “So what should you do to accomplish these top priorities?” Charlie asked.
  2204. “I guess I should reprioritize within my top tier, but what then?”
  2205. “The next step is to build support before the meeting, not during it,” Charlie said, smiling.
  2206. “Never go into a meeting where you haven’t done your homework, especially when other
  2207. people in the meeting can reduce your chance of success.”
  2208. Discussion Questions
  2209. 1. What project management tasks should Kelvin perform before his next meeting?
  2210. 2. What change management tasks should Kelvin perform before his next meeting, and
  2211. how do these tasks fit within the project management process?
  2212. 3. Had you been in Kelvin’s place, what would you have done differently to prepare for
  2213. this meeting?
  2214. Ethical Decision Making
  2215. Suppose Kelvin has seven controls listed as the top tier of project initiatives. At his next
  2216. meeting with Charlie, he provides a rank-ordered list of these controls with projected
  2217. losses over the next 10 years for each if it is not completed. Also, he has estimated the
  2218. 10-year cost for developing, implementing, and operating each control. Kelvin has identi-
  2219. fied three controls as being the most advantageous for the organization in his opinion. As
  2220. he prepared the slides for the meeting, he “adjusted” most projected losses upward to the
  2221. top end of the range estimate given by the consultant who prepared the data. For the pro-
  2222. jected costs of his preferred controls, he chose to use the lowest end of the range provided
  2223. by the consultant.
  2224. Do you think Kelvin has had an ethical lapse by cherry-picking the data for his
  2225. presentation?
  2226. Suppose that instead of choosing data from the range provided by the consultant, Kelvin sim-
  2227. ply made up better numbers for his favorite initiatives. Is this an ethical lapse?
  2228. Suppose Kelvin has a close friend who works for a firm that makes and sells software for a
  2229. specific control objective on the list. When Kelvin prioritized the list of his preferences, he
  2230. made sure that specific control was at the top of the list. Kelvin planned to provide his friend
  2231. with internal design specifications and the assessment criteria to be used for vendor selection
  2232. for the initiative. Has Kelvin committed an ethical lapse?
  2233. Case Exercises 545
  2234. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  2235. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  2236. Endnotes
  2237. 1. The SANS Institute. “GIAC Certified Project Manager (GCPM).” Accessed 5 March
  2238. 2014 from www.giac.org/certification/certified-project-manager-gcpm.
  2239. 2. Ibid.
  2240. 3. EC Council. “Project Management in IT Security Exam Information.” Accessed
  2241. 5 March 2014 from www.eccouncil.org/Certification/exam-information/pmits-exam
  2242. -212-38.
  2243. 4. “Critical Security Controls for Effective Cyber Defense.” Accessed 3 March 2014 from
  2244. www.sans.org/critical-security-controls/.
  2245. 5. Ibid.
  2246. 6. Schein, Edgar H. “Kurt Lewin’s Change Theory in the Field and in the Classroom:
  2247. Notes Toward a Model of Managed Learning.” Working paper, MIT Sloan School of
  2248. Management. Accessed 7 July 2007 from www.solonline.org/res/wp/10006.html#one.
  2249. 7. Federal Information Security Management Act of 2002. Title 44, U.S. Code Section
  2250. 3542.
  2251. 8. National Institute of Standards and Technology. Joint Task Force Transformation Ini-
  2252. tiative. Guide for Applying the Risk Management Framework to Federal Information
  2253. Systems: A Security Life Cycle Approach. SP 800-37, Rev. 1. February 2010. Accessed
  2254. 5 March 2014 from http://csrc.nist.gov/publications/PubsSPs.html.
  2255. 9. Ibid.
  2256. 10. Ibid.
  2257. 11. Ibid.
  2258. 12. The ISO 27000 Directory ISO 27001 Certification Process. Accessed 5 March 2014
  2259. from www.iso27001certificates.com/certification_directory.htm.
  2260. 546 Chapter 10
  2261. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  2262. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  2263. chapter 11
  2264. Security and Personnel
  2265. I think we need to be paranoid optimists.
  2266. ROBERT J. EATON, CHAIRMAN OF THE BOARD OF
  2267. MANAGEMENT, DAIMLERCHRYSLER AG (RETIRED)
  2268. Among Iris Majwubu’s morning e-mails was a message from Charlie Moody, with the
  2269. subject line “I need to see you.” As she opened the message, Iris wondered why on earth the
  2270. senior manager of IT needed to see her. The e-mail read:
  2271. From: Charles Moody [cmoody@slsco.com]
  2272. To: Iris Majwubu [imajwubu@slsco.com]
  2273. Subject: I need to see you
  2274. Iris,
  2275. Since you were a material witness in the investigation, I wanted to advise you of the status
  2276. of the Magruder case. We completed all of the personnel actions on this matter yesterday,
  2277. and it is now behind us.
  2278. You might like to know that the Corporate Security Department believes that you helped us
  2279. resolve this security matter in its early stages, so no company assets were compromised.
  2280. Please set up an appointment with me in the next few days to discuss a few things.
  2281. —Charlie
  2282. 547
  2283. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  2284. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  2285. Two days later, Iris entered Charlie Moody’s office. He rose from his desk as she entered.
  2286. “Come in, Iris,” Charlie said. “Have a seat.”
  2287. Nervously, she chose a chair closest to the door, not anticipating that Charlie would come
  2288. around his desk and sit down next to her. As he took his seat, Iris noticed that the folder in
  2289. his hand looked like her personnel file, and she took a deep breath.
  2290. “I’m sure you’re wondering why I asked you to meet with me,” said Charlie. “The company
  2291. really appreciates your efforts in the Magruder case. Because you followed policy and acted
  2292. so quickly, we avoided a significant loss. You were right to bring that issue to your man-
  2293. ager’s attention rather than confronting Magruder directly. You not only made the right
  2294. choice, but you acted quickly and showed a positive attitude throughout the whole
  2295. situation—basically, I think you demonstrated an information security mindset. And
  2296. that’s why I’d like to offer you a transfer to Kelvin Urich’s information security group.
  2297. I think his team would really benefit from having someone like you on board.”
  2298. “I’m glad I was able to help,” Iris said, “but I’m not sure what to say. I’ve been a DBA
  2299. for three years here. I really don’t know much about information security other than what
  2300. I learned from the company training and awareness sessions.”
  2301. “That’s not a problem,” Charlie said. “What you don’t know you can learn.” He smiled.
  2302. “So how about it, are you interested in the job?”
  2303. Iris said, “It does sound interesting, but to be honest I hadn’t been considering a career
  2304. change.” She paused for a moment, then added, “I am willing to think about it, though.
  2305. But I have a few questions.…”
  2306. LEARNING OBJECTIVES:
  2307. Upon completion of this material, you should be able to:
  2308. • Describe where and how the information security function should be positioned within
  2309. organizations
  2310. • Explain the issues and concerns related to staffing the information security function
  2311. • Enumerate the credentials that information security professionals can earn to gain recognition in
  2312. the field
  2313. • Discuss how an organization’s employment policies and practices can support the information
  2314. security effort
  2315. • Identify the special security precautions that must be taken when using contract workers
  2316. • Explain the need for the separation of duties
  2317. • Describe the special requirements needed to ensure the privacy of personnel data
  2318. Introduction
  2319. When implementing information security, an organization must first address how to position and
  2320. name the security function. Second, the information security community of interest must plan for
  2321. the function’s proper staffing or for adjustments to the staffing plan. Third, the IT community of
  2322. interest must assess the impact of information security on every IT function and adjust job
  2323. descriptions and documented practices accordingly. Finally, the general management community
  2324. 548 Chapter 11
  2325. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  2326. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  2327. 11
  2328. of interest must work with information security professionals to integrate solid information
  2329. security concepts into the organization’s personnel management practices.
  2330. To assess the effect that the changes will have on the organization’s personnel management prac-
  2331. tices, the organization should conduct a behavioral feasibility study before the implementation
  2332. phase—that is, in the analysis phase. The study should include an investigation into the levels of
  2333. employee acceptance of change and resistance to it. Employees often feel threatened when an
  2334. organization is creating or enhancing an information security program. They may perceive the
  2335. program to be a manifestation of a Big Brother attitude, and might have questions such as:
  2336. Why is management monitoring my work or my e-mail?
  2337. Will information security staff go through my hard drive looking for evidence to fire me?
  2338. How can I do my job well now that I have to deal with the added delays of informa-
  2339. tion security technology?
  2340. As you learned in Chapter 10, resolving these sorts of doubts and reassuring employees about
  2341. the role of information security programs are fundamental objectives of implementation. Thus,
  2342. it is important to gather employee feedback early and respond to it quickly. This chapter
  2343. explores the issues involved in positioning the information security unit within the organization
  2344. and in staffing the information security function. The chapter also discusses how to manage the
  2345. many personnel challenges that arise across the organization and demonstrates why these chal-
  2346. lenges should be considered part of the organization’s overall information security program.
  2347. Positioning and Staffing the Security Function
  2348. There are several valid choices for positioning the Information Security department within an
  2349. organization. The model commonly used by large organizations places the information security
  2350. department within the Information Technology department and usually designates the CISO
  2351. (chief information security officer) or CSO (chief security officer) to lead the function. The
  2352. CISO reports directly to the company’s top computing executive, or CIO. Such a structure
  2353. implies that the goals and objectives of the CISO and CIO are aligned, but this is not always
  2354. the case. By its very nature, an information security program can sometimes work at odds with
  2355. the goals and objectives of the Information Technology department as a whole. The CIO, as the
  2356. executive in charge of the organization’s technology, strives to create efficiency in the availabil-
  2357. ity, processing, and accessing of company information. Thus, anything that limits access or
  2358. slows information processing can impede the CIO’s mission for the entire organization.
  2359. The CISO’s function is more like that of an internal auditor in that he must direct the Information
  2360. Security department to examine data in transmission and storage to detect suspicious traffic, and
  2361. examine systems to discover information security faults and flaws in technology, software, and
  2362. employees’ activities and processes. These examinations can disrupt the speed at which the orga-
  2363. nization’s information is processed and accessed. Because the addition of multiple layers of secu-
  2364. rity inevitably slows users’ access to information, information security may be viewed by some
  2365. employees as a hindrance to the organization’s operations. A good information security program
  2366. maintains a careful balance between access and security, and works to educate all employees
  2367. about the need for necessary delays to ensure the protection of critical information.
  2368. Because the goals and objectives of CIOs and CISOs tend to contradict each other, the trend
  2369. among many organizations has been to separate their information security function from the
  2370. Positioning and Staffing the Security Function 549
  2371. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  2372. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  2373. IT division. An article in the IT industry magazine InformationWeek summarized the reason-
  2374. ing behind this trend quite succinctly: “The people who do and the people who watch
  2375. shouldn’t report to a common manager.” 1 This sentiment was echoed in an ISO 27001 post-
  2376. ing: “One of the most important things in information security is to avoid conflict of interest;
  2377. that is, to separate the operations from control and audit.” 2
  2378. A survey conducted by the consulting firm Meta Group found that while only 3 percent of its
  2379. clients position the Information Security department outside IT, these clients regarded such
  2380. positioning as the mark of a forward-thinking organization. Another group, Forrester
  2381. Research, concludes that the traditional structure of the CISO or CSO reporting to the CIO
  2382. will be prevalent for years to come, but that it will begin to involve numerous variations in
  2383. which different IT sections report information to the CSO, and thereby provide IS depart-
  2384. ments the critical input and control they need to protect the organization’s IT assets. 3 In gen-
  2385. eral, the data seems to suggest that while many organizations believe the CISO or CSO should
  2386. function as an independent, executive-level decision maker, information security and IT are
  2387. currently too closely aligned to separate into two departments.
  2388. In his book Information Security Roles and Responsibilities Made Easy, Charles Cresson
  2389. Wood compiles the best practices from many industry groups regarding the positioning of
  2390. information security programs. According to Wood, information security can be placed within
  2391. any of the following organizational functions:
  2392. IT, as a peer of other subfunctions such as networks, applications development, and
  2393. the help desk
  2394. Physical security, as a peer of physical security or protective services
  2395. Administrative services, as a peer of human resources or purchasing
  2396. Insurance and risk management
  2397. The legal department
  2398. Once the proper position of information security has been determined, the challenge is to design
  2399. a reporting structure that balances the competing needs of each community of interest. The
  2400. placement of information security in the reporting structure often reflects the fact that no one
  2401. actually wants to manage it; thus, the unit is moved from place to place within the organization
  2402. without regard for the impact on its effectiveness. Organizations should find a rational compro-
  2403. mise by placing information security where it can best balance its duty to monitor compliance
  2404. with its ability to provide the education, training, awareness, and customer service needed to
  2405. make information security an integral part of the organization’s culture. Also, the need to have
  2406. the top security officer report directly to the executive management group instead of just the
  2407. CIO becomes critical, especially if the security department is positioned in the IT function.
  2408. ‡ Staffing the Information Security Function
  2409. The selection of information security personnel is based on several criteria, some of which are
  2410. not within the control of the organization. Consider the fundamental concept of supply and
  2411. demand. When the demand for any commodity—for example, a critical technical skill—
  2412. increases too quickly, supply initially fails to meet demand. Many future IS professionals seek
  2413. to enter the security market by gaining the skills, experience, and credentials they need to
  2414. meet this demand. In other words, they enter high-demand markets by changing jobs, going
  2415. to school, or becoming trained. Until the new supply reaches the demand level, organizations
  2416. 550 Chapter 11
  2417. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  2418. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  2419. 11
  2420. must pay the higher costs associated with limited supply. Once the supply meets or exceeds the
  2421. demand, organizations can become more selective, and the amount they are willing to pay
  2422. drops. Hiring trends swing back and forth like a pendulum, from high demand and low supply
  2423. to the other extreme of low demand and high supply, because the economy is seldom in a state
  2424. of equilibrium. In 2002, the information security industry enjoyed a period of high demand,
  2425. with relatively few qualified and experienced applicants available for organizations seeking
  2426. their services. The economic realities of 2003 through 2006—a climate of lower demand for
  2427. all IT professionals—led to more limited job growth for information security practitioners.
  2428. From 2008 to 2012, the downturn in the U.S. economy stifled jobs across IT, not just in infor-
  2429. mation security. In the last couple of years, the demand has begun to increase again.
  2430. The latest forecasts for IT hiring in general and information security in particular project more
  2431. openings than in many previous years. According to the Bureau of Labor Statistics (BLS):
  2432. Employment of information security analysts is projected to grow 37 percent
  2433. from 2012 to 2022, much faster than the average for all occupations. Demand
  2434. for information security analysts is expected to be very high, as these analysts
  2435. will be needed to come up with innovative solutions to prevent hackers from
  2436. stealing critical information or creating havoc on computer networks. 4
  2437. This information is illustrated with additional job outlook data in Figure 11-1.
  2438. Positioning and Staffing the Security Function 551
  2439. Figure 11-1 BLS job summary for information security analysts
  2440. Source: U.S. Bureau of Labor Statistics.
  2441. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  2442. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  2443. For more information on job forecasts in information security, visit the Bureau of Labor Statistics
  2444. at www.bls.gov and search on “information security.”
  2445. The BLS data in Figure 11-1 only examines specific positions for an information security ana-
  2446. lyst. It does not consider the positions of a network and computer systems administrator or a
  2447. computer and information systems manager with information security responsibilities. The
  2448. BLS summaries for these two positions are provided in Figure 11-2. There are almost
  2449. 800,000 positions in the IT arena that could potentially have information security responsi-
  2450. bilities, with an estimated 120,000 more to be filled in the next decade.
  2451. In 2014, U.S. News and World Report ranked the “100 best jobs” of the year, based on
  2452. growth in the field, salary, job prospects, employment rate, stress level, and work-life bal-
  2453. ance. The position of information security analyst came in 11th overall and fourth in “best
  2454. technology jobs,” with software developer and computer systems analyst ranking first and
  2455. second, respectively. 5 The Department of Homeland Security reports that:
  2456. DHS will be doing extensive hiring in the next three years. Key occupational areas
  2457. that will be the focus of hiring in the Washington, D.C., metropolitan area are
  2458. 552 Chapter 11
  2459. Figure 11-2 BLS summaries for computer administrators and managers
  2460. Source: www.bls.gov.
  2461. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  2462. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  2463. 11
  2464. contracting and information technology specialists at all grade levels. Hiring for the
  2465. following positions will be for locations nationwide at various grade levels: border
  2466. patrol agents, customs and border protection officers, agriculture specialists, pilots,
  2467. adjudication officers, attorneys, intelligence analysts, criminal investigators, depor-
  2468. tation officers, immigration enforcement agents, cybersecurity specialists, chemical
  2469. safety inspectors and transportation security officers (airport screeners). 6
  2470. (Emphasis added.)
  2471. Perhaps more meaningful to this discussion is the (ISC) 2 Global Information Security Workforce
  2472. Study, which found that 56 percent of all respondents felt their information security workforce
  2473. was understaffed. More importantly, this percentage included two-thirds of all responding C-
  2474. level executives, those with the greatest influence over hiring and budget decisions. Respondents
  2475. attributed the shortage to “three factors: business conditions; executives not fully understanding
  2476. the need; and an inability to locate appropriate information security professionals.” 7 The good
  2477. news is that the study predicts an increase in information security personnel; more than 30 per-
  2478. cent of respondents indicated that information security spending on personnel will increase.
  2479. For more information on the (ISC) 2 Global Information Security Workforce Study, visit www
  2480. .isc2cares.org/uploadedFiles/wwwisc2caresorg/Content/2013-ISC2-Global-Information-Security-
  2481. Workforce-Study.pdf.
  2482. Qualifications and Requirements A number of factors influence an organization’s
  2483. hiring decisions. Because information security has only recently emerged as a separate disci-
  2484. pline, hiring in this field is complicated by a lack of understanding among organizations
  2485. about what qualifications an information security professional should possess. In many
  2486. organizations, information security teams currently lack established roles and responsibili-
  2487. ties. Establishing better hiring practices in an organization requires the following:
  2488. The general management community of interest should learn more about the skills and
  2489. qualifications for information security positions and IT positions that affect informa-
  2490. tion security.
  2491. Upper management should learn more about the budgetary needs of information secu-
  2492. rity and its positions. This knowledge will enable management to make sound fiscal
  2493. decisions for information security and the IT functions that carry out many informa-
  2494. tion security initiatives.
  2495. The IT and general management communities should grant appropriate levels of influ-
  2496. ence and prestige to information security, especially to the role of CISO.
  2497. In most cases, organizations look for a technically qualified information security generalist
  2498. who has a solid understanding of how an organization operates. In many fields, the more
  2499. specialized professionals are more marketable. In information security, however, overspecial-
  2500. ization can be risky. It is important, therefore, to balance technical skills with general
  2501. knowledge about information security.
  2502. When hiring information security professionals, organizations frequently look for candidates
  2503. who understand the following:
  2504. How an organization operates at all levels
  2505. That information security is usually a management problem and is seldom an exclu-
  2506. sively technical problem
  2507. Positioning and Staffing the Security Function 553
  2508. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  2509. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  2510. How to work with people and collaborate with end users, and the importance of
  2511. strong communications and writing skills
  2512. The role of policy in guiding security efforts, and the role of education and training in
  2513. making employees and other authorized users part of the solution rather than part of
  2514. the problem
  2515. Most mainstream IT technologies at a general level, not necessarily as an expert
  2516. The terminology of IT and information security
  2517. The threats facing an organization and how they can become attacks
  2518. How to protect an organization’s assets from information security attacks
  2519. How business solutions, including technology-based solutions, can be applied to solve
  2520. specific information security problems
  2521. Entry into the Information Security Profession Many information security pro-
  2522. fessionals enter the field through one of two career paths. Some come from law enforcement or
  2523. the military, where they were involved in national security or cybersecurity. Others are technical
  2524. professionals—networking experts, programmers, database administrators, and systems admin-
  2525. istrators—who find themselves working on information security applications and processes
  2526. more often than traditional IT assignments. In recent years, a third, perhaps more traditional
  2527. career path has developed: college students who select and tailor their degree programs to pre-
  2528. pare for work in the field of information security. Figure 11-3 illustrates these career paths.
  2529. 554 Chapter 11
  2530. Information security
  2531. college graduates Law enforcement
  2532. Information technology
  2533. Information security
  2534. Military
  2535. Figure 11-3 Career paths to information security positions
  2536. © 2015 Cengage Learning ® . Bottom left: © pio3/www.Shutterstock.com. Bottom right: © michaeljung/www.Shutterstock.com.
  2537. Top right: © dotshock/www.Shutterstock.com. Center: © IM_photo/www.Shutterstock.com
  2538. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  2539. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  2540. 11
  2541. Many hiring managers in information security prefer to recruit security professionals who
  2542. have proven IT skills and professional experience in another IT field. IT professionals who
  2543. move into information security, however, tend to focus on technology, sometimes in place
  2544. of general information security issues. Organizations can foster greater professionalism in
  2545. the discipline by expanding beyond the hiring of proven IT professionals and instead filling
  2546. positions by matching qualified candidates to clearly defined roles in information security.
  2547. Information Security Positions The use of standard job descriptions can increase
  2548. the degree of professionalism in the information security field and improve the consistency
  2549. of roles and responsibilities among organizations. Organizations that expect to revise these
  2550. roles and responsibilities can consult Charles Cresson Wood’s book, Information Security
  2551. Roles and Responsibilities Made Easy, which offers a set of model job descriptions for infor-
  2552. mation security positions. The book also identifies the responsibilities and duties of IT staff
  2553. members whose work involves information security. 8 Figure 11-4 illustrates a standard
  2554. reporting structure for information security positions.
  2555. A study of information security positions by Schwartz, Erwin, Weafer, and Briney found
  2556. that the positions can be classified into one of three areas: those that define information
  2557. security programs, those that build the systems and create the programs to implement infor-
  2558. mation security controls, and those that administer information security control systems and
  2559. programs that have been created. The definers are managers who provide policy and
  2560. planning and manage risk assessments. They are typically senior information security man-
  2561. agers—they have extensive and broad knowledge, but not a lot of technical depth. The
  2562. builders are techies who create security technical solutions to protect software, systems, and
  2563. networks. The administrators apply the techies’ tools in accordance with the decisions and
  2564. guidance of the definers; they provide day-to-day systems monitoring and use to support an
  2565. organization’s goals and objectives. By clearly identifying which type of role it is seeking and
  2566. then classifying all applicants into these three types and matching them, the organization can
  2567. recruit more effectively. 9 Some examples of job titles shown in Figure 11-4 are discussed in
  2568. the following sections.
  2569. Positioning and Staffing the Security Function 555
  2570. Chief Security
  2571. Officer
  2572. Information Security
  2573. Consultant
  2574. Information Security
  2575. Manager
  2576. Information Security
  2577. Technician / Engineer
  2578. Information Security
  2579. Administrator
  2580. Physical Security
  2581. Manager
  2582. Physical Security
  2583. Officer
  2584. Figure 11-4 Positions in information security
  2585. © Cengage Learning 2015
  2586. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  2587. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  2588. Chief Information Security Officer (CISO) The CISO is typically the top information
  2589. security officer in the organization. As indicated earlier in the chapter, the CISO is usually
  2590. not an executive-level position, and frequently the person in this role reports to the chief
  2591. information officer. Though CISOs are business managers first and technologists second,
  2592. they must be conversant in all areas of information security, including the technical, plan-
  2593. ning, and policy areas. In many cases, the CISO is the major definer or architect of the infor-
  2594. mation security program. The CISO performs the following functions:
  2595. Manages the overall information security program for the organization
  2596. Drafts or approves information security policies
  2597. Works with the CIO on strategic plans, develops tactical plans, and works with secu-
  2598. rity managers on operational plans
  2599. Develops information security budgets based on available funding
  2600. Sets priorities for the purchase and implementation of information security projects
  2601. and technology
  2602. Makes decisions or recommendations for the recruiting, hiring, and firing of security
  2603. staff
  2604. Acts as the spokesperson for the information security team
  2605. The most common qualification for this type of position is the Certified Information Systems
  2606. Security Professional (CISSP) accreditation, which is described later in this chapter. A gradu-
  2607. ate degree is also often required, although it may be from a number of possible disciplines,
  2608. including information systems, computer science, another information technology field, crim-
  2609. inal justice, military science, business, or other fields related to the broader topic of security.
  2610. A typical example of a CISO’s job description is shown below. The example has been edited
  2611. for length and is from a state government job posting, but it is very similar to postings in
  2612. general industry.
  2613. Position: Chief Information Security Officer
  2614. Job duties: The Chief Information Security Officer reports to the State’s Deputy
  2615. Division Administrator, DET and is responsible for the statewide security pro-
  2616. gram. The CISO’s role is to provide vision and leadership for developing and
  2617. supporting security initiatives. The CISO directs the planning and implementa-
  2618. tion of enterprise IT system, business operation, and facility defenses against
  2619. security breaches and vulnerability issues. This individual is also responsible for
  2620. auditing existing systems, while directing the administration of security policies,
  2621. activities, and standards.
  2622. The CISO is responsible for providing regulatory oversight for information secu-
  2623. rity. This oversight includes the development of enterprise-wide policy, procedures,
  2624. and guidance for compliance with federal laws, regulations, and guidelines, and
  2625. sound security and privacy practices. Additionally, the CISO is responsible for
  2626. reviewing security program documentation developed to ensure compliance and
  2627. further enhance security practices across all component agencies.
  2628. The CISO is responsible for deployed security across the enterprise, including plat-
  2629. forms, network, and security tools. The CISO is also responsible for identifying
  2630. 556 Chapter 11
  2631. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  2632. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  2633. 11
  2634. and assessing internal and external threats, vulnerabilities and risks as well as
  2635. ensuring that robust monitoring, timely detection, containment, and incident
  2636. response necessary to mitigate the exposure caused by the breach is in place.
  2637. The CISO provides leadership, guidance, direction, and authority for technology
  2638. security across all corporate technology departments, including measurements
  2639. applicable to services provided.
  2640. The CISO is responsible for ensuring that workflow within the division runs
  2641. smoothly so that new technology projects are appropriately monitored for secu-
  2642. rity risks and appropriate risk mitigation requirements are efficiently set forth
  2643. and appropriately designed and delivered with the newly developed production
  2644. system. Policies, procedures and technical standards and architecture will need
  2645. to be regularly reviewed and updated to prevent unauthorized access of State of
  2646. Wisconsin technology systems.
  2647. Special notes:
  2648. Due to the nature of the position, DOA will conduct a thorough background
  2649. check on applicant prior to selection.
  2650. Job knowledge, skills, and abilities:
  2651. General:
  2652. Strong oral and written communication skills, including the ability to com-
  2653. municate business and technical concepts and information effectively to a
  2654. wide range of audiences, including the public
  2655. Strong interpersonal skills, including the ability to work independently with
  2656. high-level government officials, business and IS managers and staff in fed-
  2657. eral, state and local agencies, and with division and department managers
  2658. in a decentralized environment
  2659. Strong project management skills
  2660. Demonstrated ability to effectively interface with technical staff, senior
  2661. management, and external parties
  2662. Proven ability to plan and organize work, requiring an in-depth under-
  2663. standing of security issues and ability to integrate into the work of others
  2664. Ability to defend and explain difficult issues with respect to key decisions
  2665. and positions to staff and senior officials
  2666. Experience in analyzing enterprise business and technology issues in a large
  2667. corporation or government organization
  2668. Ability to establish credibility so decisions and recommendations are
  2669. adopted
  2670. Ability to identify appropriate members and develop effective teams with
  2671. specific knowledge and skills needed to develop solutions and make
  2672. recommendations
  2673. Resourceful in identifying and obtaining information sources needed to
  2674. perform responsibilities effectively
  2675. Positioning and Staffing the Security Function 557
  2676. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  2677. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  2678. Technological/specific:
  2679. Must be an intelligent, articulate, and persuasive leader who can serve as
  2680. an effective member of the senior management team and who is able to
  2681. communicate security-related concepts to a broad range of technical and
  2682. nontechnical staff
  2683. Security background, experience in business management, and professional
  2684. expertise in security and law
  2685. Possess a strong technical background in information technology security
  2686. Knowledge of secure software development
  2687. Computer/network investigation skills and forensics knowledge
  2688. Extensive knowledge of networks, system, database and applications
  2689. security
  2690. Demonstrated ability to work with management and staff at various levels
  2691. of the organization to implement sound security practices
  2692. Ability to provide technical direction to security architects and project con-
  2693. sultants to ensure appropriate security requirements are set forth on new
  2694. development efforts
  2695. Knowledge of standards-based architectures, with an understanding of how
  2696. to get there, including compliance monitoring and enforceability
  2697. Experience with business continuity planning, auditing, and risk manage-
  2698. ment, as well as contract and vendor negotiation
  2699. Strong working knowledge of security principles (such as authentication,
  2700. vulnerability testing, penetration testing, auditing, crime scene preservation
  2701. and risk management) and security elements (such as locking systems,
  2702. evacuation methods, perimeter controls, VPNs, and firewalls)
  2703. Certifications such as Certified Protection Professional (CPP), Certified
  2704. Information Systems Manager (CISM), or Certification for the Information
  2705. Systems Security Professional (CISSP) preferred 10
  2706. Chief Security Officer (CSO) In some organizations, the CISO’s position may be com-
  2707. bined with physical security responsibilities or may even report to a security manager who is
  2708. responsible for both logical (information) security and physical security. Such a position is
  2709. generally referred to as a CSO. The CSO must be capable and knowledgeable in both infor-
  2710. mation security requirements and the “guards, gates, and guns” approach to protecting the
  2711. physical infrastructure, buildings, and grounds of a place of business.
  2712. To qualify for this position, the candidate must demonstrate experience as a security manager
  2713. and with planning, policy, and budgets. As mentioned earlier, some organizations prefer to
  2714. hire people with law enforcement experience. The following is a typical example of a CSO’s
  2715. job description:
  2716. Position: Director of Security
  2717. Responsibilities: Reporting to the Senior Vice President of Administration, the
  2718. Director of Corporate Security will be responsible for all issues related to the
  2719. 558 Chapter 11
  2720. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  2721. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  2722. 11
  2723. security and protection of the company’s employees, executives, facilities, proprie-
  2724. tary data and information. Accountable for the planning and design of the com-
  2725. pany’s security programs and procedures, this individual will facilitate protection
  2726. from and resolution of theft, threats, and other situations that may endanger the
  2727. well-being of the organization. Working through a small staff, the Director will be
  2728. responsible for executive protection, travel advisories, employee background checks,
  2729. and a myriad of other activities throughout the corporation on a case-by-case basis.
  2730. The Director will serve as the company’s chief liaison with law enforcement agen-
  2731. cies and, most importantly, will serve as a security consultant to all of the com-
  2732. pany’s autonomously run divisions. Travel requirements will be extensive.
  2733. Qualifications: The ideal candidate will have a successful background with a fed-
  2734. eral law enforcement agency, or other applicable experience, that will afford this
  2735. individual an established network of contacts throughout the country. Additional
  2736. private industry experience with a sizeable corporation—or as a consultant to
  2737. same—is preferable. A proactive attitude with regard to security and protection
  2738. is a must. The successful candidate must be capable of strategically assessing …
  2739. client security needs and have a track record in areas such as crisis management,
  2740. investigation, facility security, and executive protection. Finally, the candidate
  2741. should have a basic understanding of the access and use of electronic information
  2742. services as they apply to security issues. We seek candidates who are flexible
  2743. enough to deal with varied business cultures and who possess the superior inter-
  2744. personal skills to perform well in a consulting role where recommendations and
  2745. advice are sought and valued, but perhaps not always acted upon. A college
  2746. degree is required. 11
  2747. Security Manager Security managers are accountable for the day-to-day operation of the
  2748. information security program. They accomplish objectives identified by the CISO and resolve
  2749. issues identified by technicians. Management of technology requires a general understanding
  2750. of that technology, but it does not necessarily require proficiency in the technology’s configu-
  2751. ration, operation, and fault resolution. Note that several positions have titles that contain the
  2752. word manager or suggest management responsibilities, but only people who are responsible
  2753. for management functions, such as scheduling, setting relative priorities, or administering
  2754. budgetary control, should be considered true managers.
  2755. A candidate for this position often has CISSP certification. Traditionally, managers earn the
  2756. CISSP or CISM, and technical professionals earn the Global Information Assurance Certifica-
  2757. tion (GIAC). You will learn more about these certifications later in the chapter.
  2758. Security managers must have the ability to draft middle- and lower-level policies as well as
  2759. standards and guidelines. They must have experience in traditional business matters, such as
  2760. budgeting, project management, hiring, and firing. They must also be able to manage techni-
  2761. cians, both in the assignment of tasks and in the monitoring of activities. Experience with
  2762. business continuity planning is usually a plus.
  2763. The following is a typical example of a security manager’s job description. Note that there
  2764. are several types of security managers, as the position is much more specialized than that of
  2765. CISO. Thus, when applying for a job as a security manager, you should read the job descrip-
  2766. tion carefully to determine exactly what the employer wants.
  2767. Positioning and Staffing the Security Function 559
  2768. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  2769. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  2770. Position: Information Security Manager
  2771. Job description: This management position reports to the Chief Information
  2772. Security Officer. The successful candidate will manage the development of the
  2773. information security programs and control systems in conformance with organi-
  2774. zational policy and standards across the organization. This is a high-visibility
  2775. role that involves the day-to-day management of IT Security staff and their
  2776. career development. The principal accountabilities for this role are as follows:
  2777. Develop and manage information security programs and control systems
  2778. under the supervision of the CISO in conjunction with the evolving infor-
  2779. mation security architecture of the organization.
  2780. Monitor performance of information security programs and control sys-
  2781. tems to maintain alignment with organizational policy and common indus-
  2782. try practices for emerging threats and technologies.
  2783. Prepare and communicate risk assessments for business risk in software
  2784. developments as well as ongoing systems events (to include merger, acqui-
  2785. sition, and divestiture) and ensure effective risk management across the
  2786. organization’s IT systems.
  2787. Represent the information security organization in the organization’s
  2788. change management process.
  2789. Perform assigned duties in the area of incident response management and
  2790. disaster recovery response.
  2791. Supervise assigned staff and perform other general management tasks as
  2792. assigned, including budgeting, staffing, and employee performance reviews.
  2793. Compare the preceding general job description with the following more specific job descrip-
  2794. tion found in a recent advertisement:
  2795. Position: IT Security Compliance Manager
  2796. Job description: A job has arisen for an IT Security Compliance Manager reporting
  2797. to the IT Security Manager. In this role you will manage the development of the
  2798. client’s IT Security standards and operate a compliance program to ensure confor-
  2799. mance at all stages of the systems life cycle. This is a key, hands-on role with the
  2800. job holder taking an active part in the delivery of the compliance program. The
  2801. role will also involve the day-to-day management of IT Security staff and their
  2802. career development. The principal accountabilities for this role are as follows:
  2803. Develop and manage an IT security compliance program.
  2804. Develop the client’s security standards in line with industry standards and
  2805. emerging threats and technologies.
  2806. Identify IT-related business risk in new software and game developments
  2807. and ensure that effective risk management solutions are identified and
  2808. complied with.
  2809. Manage and conduct IT security compliance reviews in conjunction with
  2810. operational and IT Audit staff.
  2811. Conduct investigations into security breaches or vulnerabilities.
  2812. 560 Chapter 11
  2813. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  2814. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  2815. 11
  2816. Candidate profile: The ideal candidate should have five years’ experience of man-
  2817. aging the implementation of technical security controls and related operational
  2818. procedures and must have sound business risk management skills. You must
  2819. have a flexible approach to working and must be able and willing to work unso-
  2820. ciable hours to meet the demands of the role. 12
  2821. The second example illustrates the confusion in the information security field regarding job
  2822. titles and reporting relationships. The first job description identifies responsibilities for the
  2823. position and describes points where information security interacts with other business func-
  2824. tions, but the second spreads responsibilities among several business functions and does not
  2825. seem to reflect a clearly defined role for the position or the information security unit within
  2826. the organization. Until some similarity in job titles and expected roles and responsibilities
  2827. emerges, information security job candidates should carefully research open positions instead
  2828. of relying solely on the job title.
  2829. Security Technician Security technicians are technically qualified employees who are
  2830. tasked to configure firewalls, deploy IDPSs, implement security software, diagnose and trou-
  2831. bleshoot problems, and coordinate with systems and network administrators to ensure that
  2832. an organization’s security technology is properly implemented. A security technician is often
  2833. an entry-level position, but to be hired for this role, candidates must possess some technical
  2834. skills. This often poses a dilemma for applicants, as many find it difficult to get a job in a
  2835. new field without experience—they can only attain such experience by getting a job. As in
  2836. the networking arena, security technicians tend to specialize in one major security technology
  2837. group (firewalls, IDPSs, servers, routers, or software) and in one particular software or hard-
  2838. ware package, such as Check Point firewalls, Nokia firewalls, or Tripwire IDPSs. These areas
  2839. are sufficiently complex to warrant a high level of specialization, but to move up in the cor-
  2840. porate hierarchy, security technicians must expand their knowledge horizontally—that is,
  2841. gain an understanding of general organizational issues related to information security and its
  2842. technical areas.
  2843. The technical qualifications and position requirements vary for a security technician. Organi-
  2844. zations prefer an expert, certified, proficient technician. Regardless of the area of needed
  2845. expertise, the job description covers some level of experience with a particular hardware and
  2846. software package. Sometimes, familiarity with a technology secures an applicant an inter-
  2847. view; however, actual experience in using the technology is usually required. The following
  2848. is a typical job announcement for a security technician:
  2849. Position: Firewall Engineering Consultant
  2850. Job Description: Working for an exciting customer-focused security group within
  2851. one of the largest managed network providers in the country. You will have the
  2852. opportunity to expand your experience and gain all the technical and profes-
  2853. sional support to achieve within the group. Must have experience to third-line
  2854. technical support of firewall technologies. Check Point certified. Experienced in
  2855. Nokia systems.
  2856. Package: Possible company car, discretionary bonus, private health care, on-call
  2857. pay, and overtime pay. 13
  2858. Because overtime and on-call pay are listed, this job is probably an hourly position rather
  2859. than a salaried one, which is common for security technicians.
  2860. Positioning and Staffing the Security Function 561
  2861. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  2862. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  2863. Credentials for Information Security Professionals
  2864. As mentioned earlier, many organizations seek industry-recognized certifications to screen can-
  2865. didates for the required level of technical proficiency. Unfortunately, however, most existing
  2866. certifications are relatively new and not fully understood by hiring organizations. The certify-
  2867. ing bodies are working hard to educate employers and professionals on the value and qualifi-
  2868. cations of their certificate programs. In the meantime, employers are trying to understand the
  2869. match between certifications and position requirements, and hopeful professionals are trying
  2870. to gain meaningful employment based on their new certifications.
  2871. ‡ (ISC) 2 Certifications
  2872. The International Information Systems Security Certification Consortium, known as (ISC) 2 ,
  2873. offers security certifications such as the Certified Information Systems Security Professional
  2874. (CISSP), the Systems Security Certified Practitioner (SSCP), and the Certified Secure Software
  2875. Lifecycle Professional (CSSLP). You can visit the Web site at www.isc2.org.
  2876. CISSP The CISSP certification is considered the most prestigious for security managers
  2877. and CISOs. It recognizes mastery of an internationally identified Common Body of
  2878. Knowledge (CBK) in information security. To sit for the CISSP exam, the candidate must
  2879. have at least five years of direct, full-time experience as a security professional working in
  2880. at least two of the 10 domains of information security knowledge, or four years of direct
  2881. security work experience in two or more domains. The candidate must also have a four-
  2882. year college degree.
  2883. The CISSP exam consists of 250 multiple-choice questions and must be completed within six
  2884. hours. It tests candidates on their knowledge of the following 10 domains:
  2885. Access control
  2886. Business continuity and disaster recovery planning
  2887. Cryptography
  2888. Information security governance and risk management
  2889. Legal issues, regulations, investigations, and compliance
  2890. Operations security
  2891. Physical (environmental) security
  2892. Security architecture and design
  2893. Software development security
  2894. Telecommunications and network security
  2895. CISSP certification requires successful completion of the exam. Also, to ensure that appli-
  2896. cants meet the experience requirement, they must truthfully submit responses to the follow-
  2897. ing questions, which are included in the CISSP Candidate Information Bulletin:
  2898. 1. Have you ever been convicted of a felony; a misdemeanor involving a computer
  2899. crime, dishonesty, or repeat offenses; or a Court Martial in military service, or is
  2900. there a felony charge, indictment, or information now pending against you?
  2901. 562 Chapter 11
  2902. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  2903. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  2904. 11
  2905. 2. Have you ever had a professional license, certification, membership or registration
  2906. revoked, or have you ever been censured or disciplined by any professional organi-
  2907. zation or government agency?
  2908. 3. Have you ever been involved, or publically identified, with criminal hackers or hacking?
  2909. 4. Have you ever been known by any other name, alias, or pseudonym? 14
  2910. The breadth and depth of each of the 10 domains makes CISSP certification one of the most
  2911. challenging to obtain in information security. Holders of the CISSP must earn a specific
  2912. number of continuing education credits every three years to retain the certification.
  2913. Once candidates successfully complete the exam, they may be required to submit an
  2914. endorsement by an actively credentialed CISSP or by their employer as validation of their
  2915. professional experience.
  2916. CISSP Concentrations In addition to the major certifications that (ISC) 2 offers, a
  2917. number of concentrations are available for CISSPs to demonstrate advanced knowledge
  2918. beyond the CISSP CBK. Each concentration requires that the applicant be a CISSP in good
  2919. standing, pass a separate examination, and maintain the certification through continuing
  2920. professional education. These concentrations and their respective areas of knowledge are
  2921. shown in the following list and presented on the (ISC) 2 Web site:
  2922. ISSAP ® : Information Systems Security Architecture Professional
  2923. Access control systems and methodology
  2924. Communications and network security
  2925. Cryptography
  2926. Security architecture analysis
  2927. Technology-related business continuity planning and disaster recovery
  2928. planning
  2929. Physical security considerations
  2930. ISSEP ® : Information Systems Security Engineering Professional
  2931. Systems security engineering
  2932. Certification and accreditation/risk management framework
  2933. Technical management
  2934. U.S. government information assurance-related policies and issuances
  2935. ISSMP ® : Information Systems Security Management Professional
  2936. Enterprise security management practices
  2937. Business continuity planning and disaster recovery planning
  2938. Security management practices
  2939. System development security
  2940. Law, investigations, forensics, and ethics
  2941. Security compliance management 15
  2942. Credentials for Information Security Professionals 563
  2943. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  2944. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  2945. SSCP Because it is difficult to master the broad array of knowledge encompassed in the
  2946. 10 domains covered by the flagship CISSP exam, many security professionals seek less rigor-
  2947. ous certifications, such as (ISC) 2 ’s SSCP certification. The SSCP focuses on practices, roles,
  2948. and responsibilities as defined by experts from major information security industries. 16 Like
  2949. the CISSP, the SSCP certification is more applicable to the security manager than to the tech-
  2950. nician, as the bulk of its questions focus on the operational nature of information security.
  2951. Nevertheless, an information security technician who seeks advancement can benefit from
  2952. this certification.
  2953. The SSCP exam consists of 125 multiple-choice questions and must be completed within
  2954. three hours. It covers seven domains:
  2955. Access controls
  2956. Cryptography
  2957. Malicious code and activity
  2958. Monitoring and analysis
  2959. Networks and telecommunications
  2960. Risk, response, and recovery
  2961. Security operations and administration
  2962. Many consider the SSCP to be a scaled-down version of the CISSP. The seven domains are
  2963. not a subset of the CISSP domains; they contain slightly more technical content. As with
  2964. the CISSP, SSCP holders must either earn continuing education credits to retain the certifica-
  2965. tion or retake the exam.
  2966. CSSLP The Certified Secure Software Lifecycle Professional (CSSLP) 17 is a new (ISC) 2
  2967. certification focused on the development of secure applications. To qualify for the CSSLP,
  2968. you must have at least four years of recent experience with the software development life
  2969. cycle and be defined as an expert in four of the following seven experience assessment topic
  2970. areas:
  2971. Secure software concepts: Security implications in software development
  2972. Secure software requirements: Capturing security requirements in the requirements-
  2973. gathering phase
  2974. Secure software design: Translating security requirements into application design
  2975. elements
  2976. Secure software implementation/coding: Unit testing for security functionality and
  2977. resiliency to attack, and developing secure code and exploit mitigation
  2978. Secure software testing: Integrated QA testing for security functionality and resiliency
  2979. to attack
  2980. Software acceptance: Security implications in the software acceptance phase
  2981. Software deployment, operations, maintenance, and disposal: Security issues for
  2982. steady-state operations and management of software
  2983. You must compose an essay in each of your four areas of expertise and submit it as your
  2984. exam. This test is radically different from the multiple-choice exams (ISC) 2 normally
  2985. 564 Chapter 11
  2986. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  2987. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  2988. 11
  2989. administers. Once your experience has been verified and you successfully complete the essay
  2990. exam, you can be certified. If necessary, you can qualify as an (ISC) 2 Associate until you
  2991. obtain the requisite experience to qualify for the CSSLP.
  2992. Associate of (ISC) 2 (ISC) 2 has an innovative approach to the experience requirement
  2993. in its certification program. Its Associate of (ISC) 2 program is geared toward people who
  2994. want to take the CISSP or SSCP exam before obtaining the requisite experience for
  2995. certification.
  2996. Candidates who pass the CAP ® , CCFP SM , CISSP ® , CSSLP ® , HCISPP SM , or SSCP ® exams and
  2997. agree to subscribe to the (ISC) 2 Code of Ethics as well as maintain Continuing Professional
  2998. Education (CPE) credits and pay the appropriate fees can maintain their status as an Associate
  2999. until they have logged the required years of experience.
  3000. ‡ ISACA Certifications
  3001. ISACA (www.isaca.org) also offers several reputable security certifications, including the Certified
  3002. Information Security Manager (CISM), Certified Information Systems Auditor (CISA), and the
  3003. Certified in the Governance of Enterprise IT (CGEIT).
  3004. CISM The CISM credential is geared toward experienced information security managers
  3005. and others who may have similar management responsibilities. The CISM can assure
  3006. executive management that a candidate has the required background knowledge needed for
  3007. effective security management and consulting. This exam is offered annually. The CISM
  3008. examination covers the following practice domains described in the ISACA 2014 Exam
  3009. Candidate Information Guide:
  3010. 1. Information Security Governance (24 percent): Establish and maintain an informa-
  3011. tion security governance framework and supporting processes to ensure that the
  3012. information security strategy is aligned with organizational goals and objectives,
  3013. information risk is managed appropriately and program resources are managed
  3014. responsibly.
  3015. 2. Information Risk Management and Compliance (33 percent): Manage information
  3016. risk to an acceptable level to meet the business and compliance requirements of the
  3017. organization.
  3018. 3. Information Security Program Development and Management (25 percent):
  3019. Establish and manage the information security program in alignment with the
  3020. information security strategy.
  3021. 4. Information Security Incident Management (18 percent): Plan, establish, and manage
  3022. the capability to detect, investigate, respond to, and recover from information
  3023. security incidents to minimize business impact. 18
  3024. To be certified, the applicant must:
  3025. Pass the examination.
  3026. Adhere to a code of ethics promulgated by ISACA.
  3027. Pursue continuing education as specified.
  3028. Document five years of information security work experience with at least three years
  3029. in information security management in three of the four defined areas of practice.
  3030. Credentials for Information Security Professionals 565
  3031. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  3032. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  3033. CISA The CISA credential is not specifically a security certification, but it does include
  3034. many information security components. ISACA touts the certification as being appropriate
  3035. for auditing, networking, and security professionals. CISA requirements are as follows:
  3036. Successful completion of the CISA examination
  3037. Experience as an information security auditor, with a minimum of five years’ profes-
  3038. sional experience in information systems auditing, control, or security
  3039. Agreement to the Code of Professional Ethics
  3040. Payment of maintenance fees, a minimum of 20 contact hours of continuing education
  3041. annually, and a minimum of 120 contact hours during a fixed three-year period
  3042. Adherence to the Information Systems Auditing Standards
  3043. The exam covers the following areas of information systems auditing, as described in the
  3044. ISACA 2014 Exam Candidate Information Guide:
  3045. 1. The Process of Auditing Information Systems (14 percent): Provide audit services in
  3046. accordance with IT audit standards to assist the organization with protecting and
  3047. controlling information systems.
  3048. 2. Governance and Management of IT (14 percent): Provide assurance that the neces-
  3049. sary leadership and organizational structures and processes are in place to achieve
  3050. objectives and to support the organization’s strategy.
  3051. 3. Information Systems Acquisition, Development and Implementation (19 percent):
  3052. Provide assurance that the practices for the acquisition, development, testing, and
  3053. implementation of information systems meet the organization’s strategies and
  3054. objectives.
  3055. 4. Information Systems Operations, Maintenance and Support (23 percent): Provide
  3056. assurance that the processes for information systems operations, maintenance and
  3057. support meet the organization’s strategies and objectives.
  3058. 5. Protection of Information Assets (30 percent): Provide assurance that the organiza-
  3059. tion’s security policies, standards, procedures and controls ensure the confidential-
  3060. ity, integrity, and availability of information assets. 19
  3061. The CISA exam is offered only a few times each year, so planning is a must.
  3062. CGEIT Also available from ISACA is the Certified in the Governance of Enterprise IT
  3063. (CGEIT) certification. The exam is targeted at upper-level executives, including CISOs and
  3064. CIOs, directors, and consultants with knowledge and experience in IT governance. The
  3065. CGEIT areas of knowledge include risk management components, which make it an inter-
  3066. esting certification for upper-level information security managers. The exam covers the fol-
  3067. lowing areas, as described in the ISACA 2014 Exam Candidate Information Guide:
  3068. 1. Framework for the Governance of Enterprise IT (25 percent): Ensure the definition,
  3069. establishment, and management of a framework for the governance of enterprise IT
  3070. in alignment with the mission, vision, and values of the enterprise.
  3071. 2. Strategic Management (20 percent): Ensure that IT enables and supports the
  3072. achievement of enterprise objectives through the integration and alignment of IT
  3073. strategic plans with enterprise strategic plans.
  3074. 566 Chapter 11
  3075. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  3076. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  3077. 11
  3078. 3. Benefits Realization (16 percent): Ensure that IT-enabled investments are managed to
  3079. deliver optimized business benefits and that benefit realization outcome and perfor-
  3080. mance measures are established, evaluated and progress is reported to key stakeholders.
  3081. 4. Risk Optimization (24 percent): Ensure that an IT risk management framework
  3082. exists to identify, analyze, mitigate, manage, monitor, and communicate IT-related
  3083. business risk, and that the framework for IT risk management is in alignment with
  3084. the enterprise risk management (ERM) framework.
  3085. 5. Resource Optimization (15 percent): Ensure the optimization of IT resources,
  3086. including information, services, infrastructure and applications, and people, to sup-
  3087. port the achievement of enterprise objectives. 20
  3088. The certification requirements are similar to those for other ISACA certifications. Candi-
  3089. dates must have at least one year of experience in IT governance and additional experience
  3090. in at least two of the domains listed.
  3091. CRISC The newest ISACA certification is the Certified in Risk and Information Systems
  3092. Control (CRISC). The certification is targeted at managers and employees with knowledge
  3093. and experience in risk management. The CRISC areas of knowledge include risk manage-
  3094. ment components, which make it an interesting certification for upper-level information
  3095. security managers. The exam covers the following areas, as described in the ISACA 2014
  3096. Exam Candidate Information Guide:
  3097. 1. Risk Identification, Assessment and Evaluation (31 percent): Identify, assess, and evalu-
  3098. ate risk factors to enable the execution of the enterprise risk management strategy.
  3099. 2. Risk Response (17 percent): Develop and implement risk responses to ensure that
  3100. risk factors and events are addressed in a cost-effective manner and in line with
  3101. business objectives.
  3102. 3. Risk Monitoring (17 percent): Monitor risk and communicate information to the
  3103. relevant stakeholders to ensure the continued effectiveness of the enterprise’s risk
  3104. management strategy.
  3105. 4. Information Systems Control Design and Implementation (17 percent): Design and
  3106. implement information systems controls in alignment with the organization’s risk
  3107. appetite and tolerance levels to support business objectives.
  3108. 5. Information Systems Control Monitoring and Maintenance (18 percent): Monitor
  3109. and maintain information systems controls to ensure that they function effectively
  3110. and efficiently. 21
  3111. The certification requires the candidate to have a minimum of three years’ experience in risk
  3112. management and information systems control in at least three of the stated domains,
  3113. although the candidate may elect to take the exam before fulfilling the experience require-
  3114. ment. This practice is accepted and encouraged by ISACA, but the candidate will not receive
  3115. the certification until the experience requirement is met.
  3116. ‡ SANS Certifications
  3117. In 1999, the SANS Institute, formerly known as the System Administration, Networking, and
  3118. Security Institute (www.sans.org), developed a series of technical security certifications
  3119. known as the Global Information Assurance Certification (GIAC; www.giac.org). GIAC
  3120. Credentials for Information Security Professionals 567
  3121. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  3122. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  3123. certifications not only test for knowledge, they require candidates to demonstrate application
  3124. of that knowledge. With the introduction of the GIAC Information Security Professional
  3125. (GISP) and the GIAC Security Leadership Certification (GSLC), SANS now offers more than
  3126. just technical certifications. The GIAC family of certifications can be pursued independently
  3127. or combined to earn a comprehensive certification called GIAC Security Engineer (GSE).
  3128. The GISP is an overview certification that combines basic technical knowledge with an
  3129. understanding of threats, risks, and best practices, similar to the CISSP. Unlike other certifi-
  3130. cations, some GIAC certifications require applicants to complete a written practical assign-
  3131. ment that tests their ability to apply skills and knowledge. These assignments are submitted
  3132. to the SANS Information Security Reading Room for review by security practitioners, poten-
  3133. tial certificate applicants, and others with an interest in information security. Only when the
  3134. practical assignment is complete is the candidate allowed to take the online exam. According
  3135. to SANS:
  3136. GIAC now offers three types of certification: Silver, Gold, and Platinum. The
  3137. requirements for Silver certification are the completion of exam(s). Full certifications
  3138. require two exams; certificates require a single exam. After earning Silver certifica-
  3139. tion, a candidate can apply for Gold certification, which requires a technical paper.
  3140. The technical paper demonstrates real-world, hands-on mastery of security skills.
  3141. Passing technical papers will be posted to the GIAC List of Certified Professionals
  3142. pages and to the SANS Information Security Reading Room to share candidates’
  3143. knowledge and research, and to further educate the security community.
  3144. GIAC Platinum certifications require a multiple-choice test, along with a day-long
  3145. lab to test candidates’ hands-on skill. 22
  3146. The GIAC management certificates and certifications include:
  3147. GISP
  3148. GSLC
  3149. GIAC Certified ISO-27000 Specialist (G2700)
  3150. GIAC Certified Project Manager (GCPM)
  3151. GIAC has also added several shorter programs known as Skills Test and Reports (STARs),
  3152. which are “less involved but more focused” than standard GIAC certifications.
  3153. Most GIAC certifications are offered in conjunction with SANS training. For more informa-
  3154. tion on the GIAC security-related certification requirements, visit www.giac.org/certifications.
  3155. ‡ EC Council Certifications
  3156. A new competitor in certifications for security management, EC Council, now offers a
  3157. Certified CISO (C|CISO) certification, which is designed to be a unique recognition for those
  3158. at the peak of their professional careers. The C|CISO tests not only security domain knowl-
  3159. edge, but knowledge of executive business management. The C|CISO includes the following
  3160. domains:
  3161. Domain 1: Governance (Policy, Legal, and Compliance): This domain focuses on the
  3162. external regulatory and legal issues a CISO faces, as well as the strategic information
  3163. security governance programs promoted in forward-thinking organizations. It also
  3164. contains areas related to security compliance to ensure that the organization conforms
  3165. 568 Chapter 11
  3166. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  3167. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  3168. 11
  3169. to applicable laws and regulations. Finally, it includes areas of information security
  3170. standards, such as Federal Information Processing Standards and ISO 27000, and it
  3171. incorporates areas in risk management. 23
  3172. Domain 2: IS Management Controls and Auditing Management (Projects, Technology,
  3173. and Operations): This domain includes knowledge areas associated with information
  3174. systems controls and auditing, similar to those found in ISACA certifications. These
  3175. areas include developing, implementing, and monitoring IS controls as well as report-
  3176. ing the findings to executive management. Auditing areas include planning, conduct-
  3177. ing, and evaluating audits in the organization. 24
  3178. Domain 3: Management (Projects and Operations): This domain contains basic mana-
  3179. gerial roles and responsibilities any security manager would be expected to have mas-
  3180. tered. It includes the fundamentals of management covered in earlier chapters, includ-
  3181. ing planning, organizing, staffing, directing, and controlling security resources. 25
  3182. Domain 4: Information Security Core Competencies: This domain covers the common
  3183. body of information security knowledge that any CISO would be expected to possess.
  3184. The domain includes subdomains in the following areas:
  3185. Access control
  3186. Social engineering, phishing attacks, identity theft
  3187. Physical security
  3188. Risk management
  3189. Disaster recovery and business continuity planning
  3190. Firewalls, IDPSs, and network defense systems
  3191. Wireless security
  3192. Viruses, Trojans, and malware threats
  3193. Secure coding best practices and securing Web applications
  3194. Hardening operating systems
  3195. Encryption technologies
  3196. Vulnerability assessment and penetration testing
  3197. Computer forensics and incident response 26
  3198. Domain 5: Strategic Planning and Finance: This domain addresses CISO tasks associ-
  3199. ated with conducting strategic planning and financial management of the security
  3200. department. The domain includes performance measures, IT investments, internal and
  3201. external analyses, and developing and implementing enterprise security architectures. 27
  3202. ‡ CompTIA Certifications
  3203. CompTIA (www.comptia.com)—the organization that offered the first vendor-neutral profes-
  3204. sional IT certifications, the Aþ series—now offers a program called the Security+ certification.
  3205. The CompTIA Securityþ certification tests for security knowledge. Candidates must have
  3206. two years of on-the-job networking experience. The exam covers industry-wide topics,
  3207. including communication security, infrastructure security, cryptography, access control,
  3208. authentication, external attack, and operational and organization security. CompTIA
  3209. Securityþ curricula are taught at colleges, universities, and commercial training centers
  3210. Credentials for Information Security Professionals 569
  3211. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  3212. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  3213. around the globe. CompTIA Securityþ is used as an elective or prerequisite to advanced
  3214. vendor-specific and vendor-neutral security certifications. 29
  3215. The exam covers the domains shown in Table 11-1.
  3216. ‡ ISFCE Certifications
  3217. The International Society of Forensic Computer Examiners (ISFCE) offers two levels of
  3218. certification.
  3219. Certified Computer Examiner (CCE) Certified Computer Examiner (CCE) ® is a
  3220. computer forensics certification provided by the ISFCE (www.isfce.com). To complete the
  3221. CCE certification process, the applicant must:
  3222. Have no criminal record
  3223. Meet minimum experience, training, or self-training requirements
  3224. Abide by the certification’s code of ethical standards
  3225. Pass an online examination
  3226. Successfully perform actual forensic examinations on three test media
  3227. The CCE certification process covers the following areas:
  3228. Ethics in practice
  3229. Key legislation in, and its impact on, digital forensics
  3230. Software licensing and validation
  3231. General computer hardware used in data collection
  3232. Networking and its involvement in forensics and data collection
  3233. Common computer operating system and file systems organization and architecture
  3234. Forensics data seizure procedures
  3235. Casework and other forensics examination procedures
  3236. 570 Chapter 11
  3237. Domain Percentage of examination
  3238. 1.0 Network Security 20%
  3239. 2.0 Compliance and Operational Security 18%
  3240. 3.0 Threats and Vulnerabilities 20%
  3241. 4.0 Application, Data, and Host Security 15%
  3242. 5.0 Access Control and Identity Management 15%
  3243. 6.0 Cryptography 12%
  3244. Table 11-1 Domains Covered in the CompTIA Security+ Exam
  3245. Source: CompTIA. 28
  3246. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  3247. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  3248. 11
  3249. Common computer media, as used as evidence, in physical and logical storage media
  3250. operations, and procedures for sterilization and use
  3251. Use of forensic boot disks
  3252. Forensic examination skills and procedures
  3253. This certification also includes concentrations and endorsements corresponding to the vari-
  3254. ous operating systems in current business environments. A CCE who earns three or more
  3255. of these endorsements qualifies as a Master Certified Computer Examiner (MCCE). 30
  3256. ‡ Certification Costs
  3257. Certifications cost money, and the more preferred certifications can be expensive. Individ-
  3258. ual certification exams can cost as much as $750, and certifications that require multiple
  3259. exams can cost thousands of dollars. In addition, the cost of formal training to prepare
  3260. for the exams can be significant. While you should not rely completely on certification
  3261. preparation courses as groundwork for a real-world position, they can help you round
  3262. out your knowledge and fill in gaps. Some certification exams, such as the CISSP, are
  3263. very broad; others, such as components of the GIAC, are very technical. Given the nature
  3264. of the knowledge needed to pass the examinations, most experienced professionals find the
  3265. tests difficult without at least some review. Many prospective certificate holders engage in
  3266. individual or group study sessions and purchase one of the many excellent exam review
  3267. books on the subject.
  3268. Certifications are designed to recognize experts in their respective fields, but the cost of certi-
  3269. fication deters those who might take the exam just to see if they can pass. Most examinations
  3270. require between two and three years of work experience, and they are often structured to
  3271. reward candidates who have significant hands-on experience. Some certification programs
  3272. require that candidates document certain minimum experience requirements before they are
  3273. permitted to sit for the exams. Before attempting a certification exam, do your homework.
  3274. Look into the exam’s stated body of knowledge as well as its purpose and requirements to
  3275. ensure that the time and energy spent pursuing the certification are worthwhile. Figure 11-5
  3276. shows several approaches to preparing for security certification.
  3277. On the topic of professional certification for information security practitioners, Charles Cresson
  3278. Wood reports the following:
  3279. With résumé fraud on the rise, one of the sure-fire methods for employers to be
  3280. sure that the people they hire are indeed familiar with the essentials of the field
  3281. is to insist that they have certain certifications. The certifications can then be
  3282. checked with the issuing organizations to make sure that they have indeed been
  3283. conferred on the applicant for employment. […] The key is to insist that they
  3284. have certain certifications. The […] professional certifications are relevant pri-
  3285. marily to centralized information security positions. They are not generally rele-
  3286. vant to staff working in decentralized information security positions, unless
  3287. these individuals intend to become information security specialists. You may
  3288. also look for these certifications on the résumés of consultants and contractors
  3289. working in the information security field. You may wish to list these designations
  3290. in help-wanted advertisements, look for them on résumés, and ask about them
  3291. during interviews. Automatic résumé scanning software can also be set up to
  3292. search for these strings of characters. 31
  3293. Credentials for Information Security Professionals 571
  3294. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  3295. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  3296. ‡ Advice for Information Security Professionals
  3297. As a future information security professional, you may benefit from the following suggestions:
  3298. Always remember: business before technology. Technology solutions are tools for
  3299. solving business problems. Information security professionals are sometimes guilty of
  3300. looking for ways to apply the newest technology to problems that do not require
  3301. technology-based solutions.
  3302. When evaluating a problem, look at the source of the problem first, determine what
  3303. factors affect the problem, and see where organizational policy can lead you in design-
  3304. ing a solution that is independent of technology. Then use technology to deploy the
  3305. controls necessary for implementing the solution. Technology can provide elegant
  3306. solutions to some problems, but it only exacerbates others.
  3307. Your job is to protect the organization’s information and information systems
  3308. resources. Never lose sight of the goal: protection.
  3309. Be heard and not seen. Information security should be transparent to users. With
  3310. minor exceptions, the actions taken to protect information should not interfere with
  3311. users’ actions. Information security supports the work of end users, not the other way
  3312. 572 Chapter 11
  3313. Self-study guides
  3314. Certification Mentors and study partners
  3315. Work experience Training media Formal training programs
  3316. Figure 11-5 Preparing for security certification
  3317. © 2015 Cengage Learning ® . Top left: © Hong Vo/www.Shutterstock.com. Bottom left: © auremar/www.Shutterstock.com.
  3318. Bottom center: © Petinov Sergey Mihilovich/www.Shutterstock.com. Bottom right: © wavebreakmedia/www.Shutterstock.com.
  3319. Top right: © Goodluz/www.Shutterstock.com.
  3320. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  3321. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  3322. 11
  3323. around. The only routine communications from the security team to users should be
  3324. periodic awareness messages, training announcements, newsletters, and e-mails.
  3325. Know more than you say, and be more skillful than you let on. Don’t try to impress
  3326. users, managers, and other nontechnical people with your level of knowledge and
  3327. experience. One day you just might run into a Jedi master of information security who
  3328. puts you in your place.
  3329. Speak to users, not at them. Use their language, not yours. Users aren’t impressed with
  3330. technobabble and jargon. They may not comprehend all the TLAs (three-letter acro-
  3331. nyms), technical components, software, and hardware necessary to protect their sys-
  3332. tems, but they do know how to short-circuit your next budget request or pick out the
  3333. flaws in your business report.
  3334. Your education is never complete. As sensitive as you are to the fact that information
  3335. technology is ever evolving, you must be equally sensitive to the fact that information
  3336. security education is never complete. Just when you think you have mastered the latest
  3337. skills, you will encounter changes in threats, protection technology, your business
  3338. environment, or the regulatory environment. As a security professional, you must
  3339. expect to continue with the learning process throughout your entire career. This is best
  3340. accomplished by seeking out periodic seminars, training programs, and formal educa-
  3341. tion. Even if the organization or your pocketbook cannot afford the more extensive
  3342. and expensive training programs and conferences, you can keep abreast of the market
  3343. by reading trade magazines, textbooks, and news articles about security. You can also
  3344. subscribe to the many mailing lists for information security professionals. Several are
  3345. listed in the nearby Offline feature entitled “What’s in a Name?” Join at least one
  3346. professional information security association, such as the Information Systems Security
  3347. Association (www.issa.org). Whatever approach you take, keep on top of the reading,
  3348. never stop learning, and make yourself the best-informed security professional possi-
  3349. ble. It can only enhance your worth to the organization and your career.
  3350. Employment Policies and Practices
  3351. To create an environment in which information security is taken seriously, an organization
  3352. should make it a documented part of every employee’s job description. In other words, the
  3353. general management community of interest should integrate solid concepts for information
  3354. security into the organization’s employment policies and practices. This section examines
  3355. important information security issues associated with recruiting, hiring, firing, and managing
  3356. human resources in an organization.
  3357. From an information security perspective, the hiring of employees is a responsibility laden
  3358. with potential security pitfalls. Therefore, the CISO and information security manager should
  3359. work with the Human Resources department to incorporate information security into the
  3360. guidelines used for hiring all personnel. Figure 11-6 highlights some of the hiring issues.
  3361. ‡ Job Descriptions
  3362. The process of integrating information security into the hiring process begins with reviewing
  3363. and updating all job descriptions. To prevent people from applying for positions based solely
  3364. Employment Policies and Practices 573
  3365. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  3366. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  3367. 574 Chapter 11
  3368. OFFLINE
  3369. What’s in a Name?
  3370. Here are some job titles listed in job search databases that the authors reviewed to
  3371. prepare this section. See if you can guess the position level based on the title.
  3372. ● Senior security analyst
  3373. ● SAP security analyst
  3374. ● Security supervisor
  3375. ● Direct loss prevention manager
  3376. ● Security officer (not a guard job)
  3377. ● Loss prevention consultant
  3378. ● Site supervisor—security
  3379. ● Safeguards and security specialist
  3380. To perform your own job title search or search for an actual job in the field of
  3381. information security, you can begin by reviewing the job search databases at the
  3382. following Web sites:
  3383. ● Commercial job listing sites such as www.justsecurityjobs.com, www.itsecurityjobs
  3384. .com, and securityjobs.net
  3385. ● U.S. federal agency position listings such as www.usajobs.gov
  3386. ● Job listing sites associated with periodicals, such as www.csoonline.com/secu-
  3387. rity/jobs/1 and http://online.wsj.com/public/page/news-career-jobs.html
  3388. Job listings by professional organization, such as www.isc2.org/careers/ and
  3389. www.isaca.org (click on Career Center)
  3390. Background checks
  3391. Covenants and agreements
  3392. Certifications
  3393. Policies
  3394. Contracts
  3395. Figure 11-6 Hiring issues
  3396. © 2015 Cengage Learning ® . Top left: The Federal Bureau of Investigation. Bottom center: © Andrey_Popov/www.Shutterstock.com.
  3397. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  3398. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  3399. 11
  3400. on access to sensitive information, the organization should avoid revealing access privileges
  3401. to prospective employees when it advertises open positions.
  3402. ‡ Interviews
  3403. Some interviews with job candidates are conducted with members of the Human
  3404. Resources (HR) staff, and others include members of the department for which the posi-
  3405. tion is being offered. An opening within the Information Security department creates a
  3406. unique opportunity for the security manager to educate HR on the various certifications
  3407. and specific experience each certification requires, as well as the qualifications of a good
  3408. candidate. In all other areas of the organization, Information Security should advise HR
  3409. to limit information provided to the candidate about responsibilities and access rights of
  3410. the new hire. For organizations that include onsite visits as part of their initial or follow-
  3411. up interviews, it is important to exercise caution when showing a candidate around the
  3412. facility. Avoid tours through secure and restricted sites. Candidates who receive tours
  3413. may be able to retain enough information about operations or information security func-
  3414. tions to become a threat.
  3415. ‡ Background Checks
  3416. A background check should be conducted before an organization extends an offer to a job
  3417. candidate. A background check is an investigation into the candidate’s past that looks for
  3418. criminal behavior or other types of behavior that could indicate potential for future miscon-
  3419. duct. Several government regulations specify what the organization can investigate and how
  3420. much of the information uncovered can be allowed to influence the hiring decision. The secu-
  3421. rity manager and HR manager should discuss these matters with legal counsel to determine
  3422. what state, federal, and perhaps international regulations affect the hiring process.
  3423. Background checks differ in the level of detail and depth with which they examine a candi-
  3424. date. In the military, background checks determine the candidate’s level of security classifi-
  3425. cation, a requirement for many positions. In the business world, a background check can
  3426. determine the level of trust the business places in the candidate. People being considered
  3427. for security positions should expect to be subjected to a moderately high-level background
  3428. check. Those considering careers in law enforcement or high-security positions may even
  3429. be required to submit to polygraph tests. The following list summarizes various types of
  3430. background checks and the information checked for each:
  3431. Identity checks: Validation of identity and Social Security number
  3432. Education and credential checks: Validation of institutions attended, degrees and certi-
  3433. fications earned, and certification status
  3434. Previous employment verification: Validation of where candidates worked, why they
  3435. left, what they did, and for how long
  3436. Reference checks: Validation of references and integrity of reference sources
  3437. Worker’s compensation history: Investigation of claims from worker’s compensation
  3438. Motor vehicle records: Investigation of driving records, suspensions, and DUIs
  3439. Drug history: Screening for drugs and drug usage, past and present
  3440. Credit history: Investigation of credit problems, financial problems, and bankruptcy
  3441. Employment Policies and Practices 575
  3442. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
  3443. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
  3444. Civil court history: Investigation of the candidate’s involvement as a plaintiff or defen-
  3445. dant in civil suits
  3446. Criminal court history: Investigation of criminal background, arrests, convictions, and
  3447. time served
  3448. As mentioned, there are federal regulations for the use of personal information in employ-
  3449. ment practices, including the Fair Credit Reporting Act (FCRA), which governs the activities
  3450. of consumer credit reporting agencies and the uses of information procured from them. 32
  3451. These credit reports generally contain information about a job candidate’s credit history,
  3452. employment history, and other personal data.
  3453. Among other things, the FCRA prohibits employers from obtaining these reports unless the
  3454. candidate is informed in writing that such a report will be requested as part of the employment
  3455. process. The FCRA also allows the candidate to request information about the nature and type
  3456. of reporting used in making the employment decision and subsequently enables the candidate
  3457. to learn the content of these reports. The FCRA also restricts the periods of time these reports
  3458. can address. If the candidate earns less than $75,000 per year, the report can contain only
  3459. seven years of negative credit information. If the candidate earns $75,000 or more per year,
  3460. there is no time limitation. Note that “any person who knowingly and willfully obtains infor-
  3461. mation on a consumer from a consumer reporting agency under false pretenses shall be fined
  3462. under title 18, United States Code, imprisoned for not more than two years, or both.” 33
  3463. ‡ Employment Contracts
  3464. Once a candidate has accepted a job offer, the employment contract becomes an important secu-
  3465. rity instrument. Many of the policies discussed in Chapter 4—specifically, the fair and responsible
  3466. use policies—require an employee to agree in writing to monitoring and nondisclosure agree-
  3467. ments. If existing employees refuse to sign these agreements, security personnel are placed in a dif-
  3468. ficult situation. They may not be able to force employees to sign or to deny employees access to
  3469. the systems necessary to perform their duties. With new employees, however, security personnel
  3470. are in a different situation because the procedural step of policy acknowledgment can be made a
  3471. requirement of employment. Policies that govern employee behavior and are applied to all
  3472. employees may be classified as “employment contingent upon agreement.” This classification
  3473. means the potential employee must agree in a written affidavit to conform with binding organiza-
  3474. tional policies before being hired. Some organizations choose to execute the remainder of the
  3475. employment contract after the candidate has signed the security agreements. Although this may
  3476. seem harsh, it is a necessary component of the security process. Employment contracts may also
  3477. contain restrictive clauses regarding the creation and ownership of intellectual property while the
  3478. candidate is employed by the organization. These provisions may require the employee to actively
  3479. protect the organization’s information assets—especially assets that are critical to security.
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top