Business Finance
BU Data Security IT Jobs Not Directly Associated with Information Security Discussion

Bethel University

Question Description

I don’t understand this Management question and need help to study.

Minimum word count is 250 words. Must have, at least, two scholarly sources, one of which can be the course text/textbook. Please be sure to use in-text citations and properly cite the sources according to APA format guidelines.

  • When an organization undertakes an InfoSec-driven review of job descriptions,  which job descriptions must be reviewed? Which IT jobs not directly associated with information security should be reviewed?
  • Why is it important to have a body of standard job descriptions for hiring InfoSec professionals?

Unformatted Attachment Preview

chapter 11 G U N N , Personnel and Security G E If an attacker can call one trusted person within the company, and N gets in, then all that that person complies, and if the attacker money spent on technology is essentially N wasted. KEVIN MITNICK I Mike Edwards stuck his head into Iris’s office and asked, “Iris, are S hour or so?” Iris glanced at her calendar and E said, “Sure. What’s up?” you free for the next Mike was standing in the hall with Erik Paulson, the manager of Random Widget Works, Inc.’s (RWW’s) help desk. Both 1 men looked grave. “Can you bring the human resources 4 policy manual with you?” Mike asked. Without asking any further questions, Iris pulled the manual from her bookshelf and joined 1 the pair. As they walked down the hall, Mike filled her in on the developing situation. 7 In the meeting room that adjoined the Chief Executive Officer’s (CEO’s) office, three T and Paul took seats at the table, and Iris took a chair people were already seated. Mike along the wall. Robin Gateere, S RWW’s CEO, cleared her throat and said, “Okay. Let’s get started.” Jerry Martin from legal was facilitating the meeting. Also in the room was Gloria Simpson, senior vice president of human resources. Mike had asked Iris to join this upper-level 399 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. 400 Chapter 11 management meeting because of her familiarity with human resources policy regarding information security. Jerry spoke first. “Recent events have caused us to revisit our hiring policies,” he said. “Last week, one of our employees was arrested, and our company name was plastered all over the newspapers and on television. It turns out that the employee was on parole for sexual assault. He was hired into our IT department to work at the help desk. The police have discovered that he is running a pornography Web site. His parole was revoked, and he’s now in state prison. What I want to know is how he came to be an employee of this company in the first place, and what do we do now?” Robin took the floor. “As to the second question,” she said, “we terminated his employment for cause since he did not report to work, because he is in jail. As to the first question….” She looked pointedly at Erik and said, G “What do you know?” Erik seemed uneasy. “This is the first U time I became aware that Sam had trouble with the law,” he said. “As a matter of fact, I was the hiring manager who recruited him, and all of this is news to me. Of course, we N followed the required human resources procedures when we hired him, although I have always N wondered why a hiring manager doesn’t get to see the whole personnel file for new hires.” , Gloria spoke up. “That practice does seem odd in light of this case,” she said. “According to his file, Sam did write about his conviction and parole status on his application. In fact, we did an identity check and received G a criminal background report that confirmed the conviction and his parole status. He didn’t lie on his application, but it’s beyond me how Erik was E ever cleared to make him a job offer.” N “Here’s the whole hiring manager’s packet on Sam,” he Erik lifted the folder he was holding. said. “This is the actual file I received N from HR. I happened to save it in the employee jacket in my files. As you can see, the standard clearance to extend an offer is right here.” He slid the folder down the table to Gloria,I who looked at the approval signature on the form. Iris realized several things: Some ofSthe archaic practices in human resources were about to change, somebody in human resources E was in a lot of trouble, and it was time for her to revisit all of the company’s personnel information security policies. 1 4 you should be able to: Upon completion of this material, 1 • Identify the skills and requirements for information security positions 7 • List the various information security professional certifications, and identify which T skills are encompassed by each S • Discuss and implement information security constraints on the general hiring LEARNING OBJECTIVES processes • Explain the role of information security in employee terminations • Describe the security practices used to control employee behavior and prevent misuse of information 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. Personnel and Security 401 Introduction Maintaining a secure environment requires that the information security (InfoSec) department be carefully structured and staffed with appropriately skilled and screened personnel. It also requires that the proper procedures be integrated into all human resources activities, including hiring, training, promotion, and termination practices. The first part of this chapter discusses InfoSec personnel hiring issues and practices, including information about the most sought-after professional certification credentials. Some aspects of managing InfoSec personnel—such as the placement of the InfoSec department within the organization—were covered in Chapter 5. This chapter provides more details about the proper staffing (or adjusting the staffing plan) of the InfoSec function. It also describes how to adjust IT job descriptions and documented practices to fulfill InfoSec requirements throughout the organization. G The second part of this chapter presents strategies for integrating InfoSec policies into an U This effort requires collaboration between the general organization’s general hiring practices. management community of interest N and InfoSec professionals. N , Staffing the Security Function Selecting an effective mix of InfoSec personnel for your organization requires that you consider a number of criteria. SomeGof these criteria are within the control of the organization; others are not, such as the supply and demand of various skills and experience levels. In genE eral, when the demand for any commodity—including personnel with critical InfoSec technical N the initial supply often fails to meet it. As demand becomes or managerial skills—rises quickly, known, professionals entering the job market or refocusing their job skills seek to gain the N required skills, experience, and credentials. Until this new supply can meet the demand, however, competition for the scarce Iresource will continue to drive up costs. Once the supply is level with or higher than demand, S organizations can become more selective and no longer need to pay a premium for those skills. E This process swings back and forth like a clock pendulum, because the real economy, unlike an econometric model, is seldom in a state of equilibrium for long periods of time. For example, there was excess demand for experienced enterprise resource planning (ERP) professionals in 1 the 1990s and for experienced Common Business-Oriented Language (COBOL) programmers 4 at the turn of the 21st century, because of concerns about Y2K issues. At the time of this writing, the outlook is still good for 1 experienced security professionals, and many new entrants to the field are able to find work. But funding priorities have precluded massive hiring to meet 7 this predicted need for skilled InfoSec professionals. Many economic forecasters expect this deferred demand to become active T as organizations seek to meet the perceived demand for InfoSec workers. The cold reality is that as long as there are hackers and other security “bad S guys,” there will be a need for competent InfoSec professionals. The “2012 (ISC)2 Career Impact Survey” found less than 4 percent of the over 2250 survey respondents were unemployed, and half of those for reasons other than job availability. Some reported retiring, leaving the area, or pursuing higher education, for example. There is still high turnover in the field, with over 35 percent of respondents reporting changing jobs in 2012, but this was mostly due to advancement opportunity (53 percent) or personal preference (17 percent).1 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. 11 402 Chapter 11 Qualifications and Requirements Due to the relatively recent emergence of InfoSec as a distinct discipline, many organizations are still not certain which qualifications competent InfoSec personnel should have. In many cases, the InfoSec staff lacks established roles and responsibilities. To move the InfoSec discipline forward, organizations should take the following steps: ● The general management community of interest should learn more about the requirements and qualifications for both InfoSec positions and relevant IT positions. ● Upper management should learn more about InfoSec budgetary and personnel needs. ● The IT and general management communities of interest should grant the InfoSec function—in particular, the chief information security officer (CISO)—an appropriate level of influence and prestige. In most cases, organizations look for a technically qualified InfoSec generalist with a solid G understanding of how organizations operate. In many other fields, the more specialized proU they are. In InfoSec, overspecialization can actually fessionals become, the more marketable be a drawback. N When hiring InfoSec professionals N at all levels, organizations frequently look for individuals who: , ● Understand how organizations are structured and operated ● Recognize that InfoSec is a management task that cannot be handled with technology G alone ● ● ● ● ● ● ● Work well with people in general, E including users, and have strong written and verbal communication skills N N Understand the essential role of InfoSec education and training, which helps make I than part of the problem users part of the solution rather Perceive the threats facing anS organization, understand how these threats can become transformed into attacks, andEsafeguard the organization from InfoSec attacks Acknowledge the role of policy in guiding security efforts Understand how technical controls (including firewalls, intrusion detection systems [IDSs], and antivirus software) can be applied to solve specific InfoSec problems Demonstrate familiarity with 1the mainstream information technologies, including the most popular and newest Windows, Linux, and UNIX operating systems 4 Understand IT and InfoSec terminology and concepts 1 Entering the Information7Security Profession T field after having prior careers in law enforcement or Many InfoSec professionals enter the the military, or careers in other IT areas, S such as networking, programming, database administration, or systems administration. Recently, college graduates who have tailored their degree programs to specialize in InfoSec have begun to enter the field in appreciable numbers. Figure 11-1 illustrates these possible career paths. Many information technologists believe that InfoSec professionals must have an established track record in some other IT specialty. However, IT professionals who move into InfoSec tend to focus on technical problems and solutions to the exclusion of general InfoSec issues. 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. Personnel and Security 403 Traditional Career Path to InfoSec Military/Law enforcement Information security Technology Modern Career Path to InfoSec Now Includes Security education Information security G U N N Figure 11-1 Information security ,career paths Copyright © 2014 Cengage Learning®. G Organizations can foster greater professionalism in the InfoSec discipline by clearly defining E explicit position descriptions. their expectations and establishing N Information Security Positions N Standardizing job descriptions can increase the degree of professionalism in the field of InfoI Sec, as well as improve the consistency of roles and responsibilities among organizations. Organizations can find completeSInfoSec job descriptions in Charles Cresson Wood’s book Information Security Roles and Responsibilities Made Easy, Version 3. Excerpts from this E book are provided later in this chapter.2 As you learned in Chapter 5, Schwartz et al. classify InfoSec positions into one of three areas: 1 and those that administer: those that define, those that build, 4 guidelines, and standards.… They’re the people Definers provide the policies, who do the consulting and 1 the risk assessment, who develop the product and technical architectures. These are senior people with a lot of broad knowledge, 7 Then you have the builders. They’re the real techies, but often not a lot of depth. who create and install security T solutions.… Finally, you have the people who operate and [administer] the security tools, the security monitoring function, and S improve the processes. This is where all the day-tothe people who continuously day, hard work is done. What I find is we often try to use the same people for all of these roles. We use builders all the time.… If you break your information security professionals into these three groups, you can recruit them more efficiently, with the policy people being the more senior people, the builders being more technical, and the operating people being those you can train to do a specific task.3 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. 11 404 Chapter 11 One could find a number of position titles that fit these three roles. The following sections discuss some specific job titles that follow this model. Figure 11-2 shows typical InfoSec job positions and the departmental hierarchy. Chief information security officer Security consultant Security Security technician G manager U N Security Nadministrator , Security officer Figure 11-2 Possible information security positions and reporting relationships Copyright © 2014 Cengage Learning®. G Chief Information Security E Officer (CISO) Though not usually an executive-level position, the chief information security officer (CISO) is often considered the top InfoSec N officer in the organization. He or she frequently reports to the chief information officer (CIO), unless the organization employs N a chief security officer (CSO) who oversees both physical and InfoSec areas. Although CISOs are business managers first and technologists I second, they must be conversant in all areas of InfoSec, including technology, planning, and policy. They are expected to draftSor approve a range of InfoSec policies. They also work with their CIOs and other executive E managers on strategic planning, they develop tactical plans, and they work with security managers on operational planning. Finally, they develop InfoSec budgets based on available funding, and they make decisions or recommendations about purchasing, project and technology implementation, and the recruiting, hiring, and 1 firing of security staff. Ultimately, the CISO is the spokesperson for the security team and is responsible for the overall InfoSec 4 program. 1 7 Systems Security Professional (CISSP) and the CertiCISO include the Certified Information fied Information Security Manager T (CISM), which are described later in this chapter. A graduate degree in business, technology, criminal justice, or another related field is usually S position should have experience as a security manager required as well. A candidate for this Qualifications and Position Requirements The most common qualifications for the as well as in planning, policy, and budgets. As mentioned earlier, some organizations prefer to hire individuals with law enforcement experience. Charles Cresson Wood’s Information Security Roles and Responsibilities Made Easy, Version 3 defines and describes the CISO position, which he calls the information security department manager, as follows: 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. Personnel and Security 405 Information Security Department Manager Job Title: Information Security Department Manager [Also known as Information Security Manager, Information Systems Security Officer (ISSO), Chief Information Security Officer (CISO), Chief Information Security Strategist, or Vice President of Information Security. Note that if the Chief Security Officer […] does not exist at the organization in question, and is not appropriate at this point in time, then some of the CSO duties may instead be performed by the Information Security Department Manager.] Department: Information Security Reports To: Chief Information Officer (CIO) [Most common but least recommended option], Chief Operating Officer (COO), Chief Financial Officer (CFO), Chief Executive Officer (CEO) [The latter is the most desirable option … ], Chief Security Officer (CSO), or Chief Legal Counsel… Dotted Line: Board of Directors AuditGCommittee U Summary: The Information Security Department Manager directs, coordinates, plans, and organizes InfoSec activities throughout Company X. He or she acts as the focal point for all commuN nications related to InfoSec, both with internal staff and third parties. The Manager works with N internal organizational units, bringing them together to a wide variety of people from different manifest controls that reflect workable , compromises as well as proactive responses to current and future InfoSec risks. Responsibilities and Duties: The Information Security Department Manager is responsible for G envisioning and taking steps to implement the controls needed to protect both Company X E have been entrusted to Company X by third parties. information as well as information that The position involves overall Company X responsibility for InfoSec regardless of the form that N the information takes (paper, blueprint, CD-ROM, audio tape, embedded in products or proN technology employed (portable computers, wireless cesses, etc.), the information handling devices, smart phones, fax machines, Itelephones, local area networks, file cabinets, etc.), or the people involved (contractors, consultants, employees, vendors, outsourcing firms, etc.). S ● Threats to information and information systems addressed by the Information Security Department Manager and his orE her staff include, but are not limited to: information unavailability, information corruption, unauthorized information destruction, unauthorized information modification, unauthorized information usage, and unauthorized information 1 disclosure. These threats to information and information systems include consideration of physical security matters only if 4 a certain level of physical security is necessary to achieve a certain level of InfoSec [for example, 1 as is necessary to prevent theft of portable computers] ● Acts as the central point of contact 7 within Company X when it comes to all communications dealing with InfoSec, including vulnerabilities, controls, technologies, human factors T issues, and management issues ● Establishes and maintains strong working relationships with the Company X groups involved with InfoSec matters (Legal Department, Internal Audit Department, Physical Security Department, Information Technology Department, Information Security Management Committee, etc.) [Note that the Inform ...
Purchase answer to see full attachment
Student has agreed that all tutoring, explanations, and answers provided by the tutor will be used to help in the learning process and in accordance with Studypool's honor code & terms of service.

Final Answer


Running head: DATA SECURITY

Data Security
Student's name
Student's institution

Data Security
Question 1
In the case of an information security (Infosec) job description review, a company needs
to evaluate the work responsibilities of all employees within the department. The activity would
assist in ensuring that all persons within the department focus on the provision of excellent
security guided services. Job descriptions include an explanation of the...

Cornell University

Top quality work from this tutor! I’ll be back!

It’s my second time using SP and the work has been great back to back :) The one and only resource on the Interwebs for the work that needs to be done!

Thanks, good work

Similar Questions
Related Tags