Module 7

Security and Personnel

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 1
 Module Objectives

Upon completion of this material, you should be able to do the following:

7.1 Describe where and how the information security function should be
positioned within organizations.
7.2 Explain the issues and concerns related to staffing the information security
function.
7.3 List and describe the credentials that information security professionals
can earn to gain recognition in the field.
7.4 Discuss how an organization’s employment policies and practices can
support the information security effort.
7.5 Identify special security controls and privacy considerations for personnel
management.
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 2
 Introduction to Security and Personnel

• When implementing information security, there are many human resource

issues that must be addressed:
− Positioning and naming the security function.
− Staffing for or adjustments to the staffing plan.
− Assessing the impact of information security on every IT function .
− Integrating solid information security concepts into personnel management
practices.
• Employees often feel threatened when an information security program is being
created or enhanced.
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 3
 Positioning the Security Function

• There are several valid choices for positioning the information security
department within an organization. It can be placed within the following:
− IT (most common).
− Physical security.
− Administrative services.
− Insurance and risk management.
− Legal.
• InfoSec should balance duty to monitor compliance with needs for education,
training, awareness, and customer service.
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 4
 Staffing the Information Security Function

• Selecting personnel is based on several criteria, including some not within the
control of the organization (supply and demand).
• Many professionals enter security markets by gaining skills, experience, and
credentials.
• At present, the information security industry is in a period of high demand.
According to the Bureau of Labor Statistics (BLS) employment of information
security analysts is projected to grow 31 percent from 2019 to 2029, which is
much faster than the 4 percent average for all occupations.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 5
 Knowledge Check Activity 1

Demand for information security staff is _____.

a. very low
b. low
c. high
d. moderate

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 6
 Knowledge Check Activity 1: Answer

Demand for information security staff is _____.

a. very low
b. low
c. high
d. moderate

Answer: c. high
According to the Bureau of Labor Statistics (BLS) employment of information security
analysts is projected to grow 31 percent from 2019 to 2029, which is much faster than the
4 percent average for all occupations.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 7
BLS Information For Information Security Analysts

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 8
[Link] Supply/Demand Heat Map

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 9
 Qualifications and Requirements (1 of 3)

• Establishing better hiring practices requires the following:

− General management should learn more about skills and qualifications for
positions.
− Upper management should learn about the budgetary needs of information
security function.
− IT and general management should grant appropriate levels of influence and
prestige to information security.
• Organizations typically look for technically qualified information security
generalists who has a solid understanding of how an organization operates.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 10
 Qualifications and Requirements (2 of 3)

• Organizations look for candidates who understand the following:

− How an organization operates at all levels.
− That information security is usually a management problem and is seldom
exclusively a technical problem.
− How to work with people and collaborate with end users and the importance
of strong communications and writing skills.
− The role of policy in guiding security efforts, and the role of education and
training in making employees and others part of the solution.
− Most mainstream IT technologies at a general level.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 11
 Qualifications and Requirements (3 of 3)

• Organizations look for candidates who understand the following:

− The terminology of IT and information security.
− The threats facing an organization and how they can become attacks.
− How to protect an organization’s information assets from attacks.
− How business solutions, including technology-based solutions, can be
applied to solve specific information security problems.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 12
 Entry into the Information Security
Profession
• Traditionally, many information security professionals entered the field through
one of two career paths:
− Law enforcement and military.
− Technical IT professionals.
• Today, students select and tailor degree programs to prepare for work in
information security.
• Organizations can foster greater professionalism by matching qualified
candidates to clearly defined roles in information security.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 13
Career Paths To Information Security
Positions

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 14
 Knowledge Check Activity 2

Traditionally, which has been the dominant way people enter the information
security field?
a. Law Enforcement / Military
b. Hiring at entry level from college
c. Technical IT Professionals
d. Choice A & B are correct

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 15
 Knowledge Check Activity 2: Answer

Traditionally, which has been the dominant way people enter the information security field?
a. Law Enforcement / Military
b. Hiring at entry level from college
c. Technical IT Professionals
d. Choice A & B are correct

Answer: d. Choice A & B are correct

Only in recent years have companies began recruiting large numbers of information
security for entry-level positions.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 16
 Information Security Positions

• Use of standard job descriptions can increase the degree of professionalism

and improve the consistency of roles and responsibilities between
organizations.
• Charles Cresson Wood’s book, Information Security Roles and Responsibilities
Made Easy, offers a set of model job descriptions.
• Eddie Schwartz described security positions as being classified into one of three
areas: those that define information security programs, those that build the
systems and create the programs to implement information security controls,
and those that administer information security control systems and programs
that have been created.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 17
Positions In Information Security

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 18
 Chief Information Security Officer (CISO)

• Manages the overall information security program for the organization

• Drafts or approves information security policies
• Works with the CIO on strategic plans, develops tactical plans, and works with security
managers on operational plans
• Develops information security budgets based on available funding
• Sets priorities for the purchase and implementation of information security projects and
technology
• Makes decisions or recommendations for the recruiting, hiring, and firing of security staff
• Acts as the spokesperson for the information security team
• Typical Qualifications: Bachelor’s degree in security or computing-related field, CISM and a
graduate degree common, experience as a security manager.
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 19
 Chief Security Officer (CSO)

• CISO’s position may be combined with physical security responsibilities.

• Knowledgeable in both InfoSec requirements and “guards, gates, and guns”
approach to protecting the physical infrastructure.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 20
 Security Manager

• Accountable for day-to-day operation of the information security program

• Accomplishes objectives as identified by CISO and resolves issues identified by
technicians
• Typical qualifications: often have CISSP or CISM; ability to draft middle- and
lower-level policies, standards, and guidelines; budgeting, project management,
and hiring and firing; ability to manage technicians.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 21
 Security Technician

• Technically qualified employees tasked to configure security hardware and

software.
• Tend to be specialized.
• Typical qualifications:
− Varied since organizations prefer expert, certified, proficient technicians.
− Some experience with a particular hardware and software package.
− Actual experience in using a technology usually required.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 22
 Credentials for Information Security
Professionals
• Many organizations seek industry-recognized certifications.
• Most InfoSec certifications are not fully understood by hiring organizations.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 23
 (ISC)2 Certifications

• Certified Information Systems Security Professional (CISSP)

− Information Systems Security Architecture Professional (ISSAP)
− Information Systems Security Engineering Professional (ISSEP)
− Information Systems Security Management Professional (ISSMP)
• Systems Security Certified Practitioner (SSCP)
• Certified Secure Software Lifecycle Professional (CSSLP)
• Certified Authorization Professional (CAP)
• HealthCare Information Security and Privacy Practitioner (HCISPP)
• Certified Cloud Security Professional (CCSP)
• Associate of (ISC)2
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 24
 ISACA Certifications

• Certified Information Systems Manager(CISM)

• Certified in Risk and Information Systems Control (CRISC)
• Certified in the Governance of Enterprise IT (CGEIT)
• Certified Data Privacy Solutions Engineer (CDPSE)

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 25
 SANS/GIAC Certifications

• Offers multiple GIAC certifications in the following focus areas:

− Cyber Defense
− Industry Control Systems
− Offensive Security
− Digital Forensics & Incident Response
− Cloud Security
− Management & Leadership
− GIAC Security Expert

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 26
 Other Certifications

• EC Council
− CEH
− CICISO
− Others in security awareness, fundamental, core, specialist, advanced and
management areas.
• CompTIA
− Security +
− CySA+
− PenTest+
− CASP+
• Cloud Certifications
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 27
 Knowledge Check Activity 3

Which organization hosts the certification known as the CISSP?

a. SANS
b. ISACA
c. (ISC)2
d. CompTIA

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 28
 Knowledge Check Activity 3: Answer

Which organization hosts the certification known as the CISSP?

a. SANS
b. ISACA
c. (ISC)2
d. CompTIA

Answer: c. (ISC)2
The (ISC)2 hosts many certifications including the CISSP and SSCP.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 29
 Certification Costs

• More preferred certifications can be expensive.

• Even experienced professionals find exams difficult without some review.
• Many candidates engage in individual or group study sessions and purchase
exam review books.
• Before attempting a certification exam, do your homework and review exam
criteria, its purpose, and requirements to ensure that the time and energy spent
pursuing certification are worthwhile.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 30
Preparing for Security Certification

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 31
Advice for Information Security Professionals

• Always remember business before technology.

• Technology provides elegant solutions for some problems but only exacerbates
others.
• Never lose sight of the goal of protecting the organization’s information assets.
• Be heard and not seen.
• Know more than you say; be more skillful than you let on.
• Speak to users, not at them.
• Your education is never complete.
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 32
 Employment Policies and Practices

• An organization should make information security a documented part of every

employee’s job description.
• The management community of interest should integrate solid concepts for
information security into the organization’s employment policies and practices.
• From the information security perspective, hiring of employees is a responsibility
laden with potential security pitfalls.
• CISO and information security manager should work with the human resources
department to incorporate information security into guidelines used for hiring all
personnel.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 33
 Job Descriptions

• Integrating information security perspectives into hiring process begins with

reviewing and updating all job descriptions.
• An organization should avoid revealing access privileges to prospective
employees when advertising open positions.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 34
 Interviews

• An opening within the information security department creates a unique

opportunity for the security manager to educate HR on certifications,
experience, and qualifications of a good candidate.
• Information security should advise HR to limit information provided to the
candidate on the responsibilities and access rights of the new hire.
• For the organizations that include on-site visits as part of interviews, it’s
important to exercise caution when showing candidate around facility.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 35
 Background Checks

• Investigation into a candidate’s past should be conducted before the organization extends an
offer to a candidate.
• Background checks differ in the level of detail and depth with which a candidate is examined.
• May include the following:
− identity check
− education and credential check
− previous employment verification
− references check
− worker’s compensation history
− motor vehicle records
− drug history
− credit history

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 36
 Hiring Issues

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 37
 Employment Contracts

• Once a candidate has accepted a job offer, the employment contract becomes
an important security instrument.
• Many security policies require an employee to agree in writing to monitoring and
nondisclosure agreements.
• Policies governing employee behavior may be classified as “employment
contingent upon agreement,” whereby employee must agree to conform with the
policies before being hired.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 38
 New Hire Orientation

• New employees should receive extensive information security briefing on

policies, procedures, and requirements for information security.
• Levels of authorized access should be outlined and training is provided on
secure use of information systems.
• By the time employees start, they should be thoroughly briefed on security
components and their rights and responsibilities.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 39
 On-the-Job Security Training

• An organization should integrate security awareness education into job

orientation and security training.
• Keeping security at the forefront of employees’ minds helps minimize their
mistakes and is an important part of information security awareness mission.
• External and internal seminars should also be used to increase security
awareness for all employees, particularly security employees.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 40
 Evaluating Performance

• Organizations should incorporate information security components into

employee performance evaluations.
• Employees pay close attention to job performance evaluations and are more
likely to take information security seriously if violations are documented in them.
− Are more likely to take information security seriously if violations
documented in them

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 41
 Termination (1 of 3)

• When an employee leaves the organization, security-related issues arise.

• A key issue is continuity of protection of all information to which employee had
access.
• After having delivered keys, keycards, and other business property, the former
employee should be escorted from the premises.
• Many organizations use an exit interview to remind former employee of
contractual obligations and to obtain feedback.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 42
 Termination (2 of 3)
• Hostile departures include termination for cause, permanent downsizing, temporary
layoffs, or some instances of quitting.
− Before the employee is aware, all logical and keycard access is terminated.
− Employee collects all belongings and surrenders all keys, keycards, and other
company property.
− Employee is then escorted out of the building.
• Friendly departures include resignation, retirement, promotion, or relocation.
− Employee may be notified well in advance of departure date.
− More difficult for the security to maintain positive control over the employee’s
access and information usage.
− Employee accounts usually continue with new expiration date.
− Employees come and go at will, collect their own belongings, and leave on their
own.
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 43
 Termination (3 of 3)

• Offices and information used by the employee must be inventoried, files stored
or destroyed, and property returned to organizational stores.
• Possibility that employees foresee departure well in advance and begin
collecting organizational information for their future employment.
• Only by scrutinizing systems logs after the employee has departed can the
organization determine if there has been a breach of policy or a loss of
information.
• If information has been illegally copied or stolen, report an incident and follow
the appropriate policy.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 44
 Knowledge Check Activity 4

What tasks must be performed when an employee prepares to leave an

organization?

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 45
 Knowledge Check Activity 4: Answer

What tasks must be performed when an employee prepares to leave an organization?

When an employee prepares to leave an organization, the following tasks must be
performed:
− Access to the organization’s systems must be disabled.
− Removable media must be returned.
− Hard drives must be secured.
− File cabinet locks must be changed.
− The office door lock must be changed.
− Keycard access must be revoked.
− Personal effects must be removed from the organization’s premises.
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 46
 Personnel Control Strategies (1 of 2)

• Separation of duties is used to reduce the chance that an employee will violate
information security and breach the confidentiality, integrity, or availability of
information by having tasks divided between multiple employees.
• A similar concept is known as two-person control (or dual control) in which two
employees review and approve each other’s work.
• Another control used to prevent personnel from misusing information assets is
job rotation (or task rotation) where multiple employees train to perform each
critical task.
• Mandatory vacations give the organization the ability to audit the work of an
employee.
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 47
 Internal Control Strategies

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 48
 Personnel Control Strategies (2 of 2)

• Need to know is the principle of limiting users’ access privileges to the specific
information required to perform their assigned tasks.
• Least privilege is the data access principle that ensures no unnecessary access
to data exists by regulating members so they can perform only the minimum
data manipulation needed; least privilege implies a need to know.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 49
 Security Considerations for Temporary
Employees
• Individuals not subject to screening, contractual obligations, and eventual
secured termination often have access to sensitive organizational information.
• Relationships with these individuals should be carefully managed to prevent
possible information leak or theft.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 50
 Temporary Employees

• Hired by the organization to serve in temporary position or to supplement

existing workforce.
• Often not subject to contractual obligations or general policies; if temporary
employees violate a policy or cause a problem, possible actions are limited.
• Access to information for temporary employees should be limited to that
necessary to perform duties.
• Temporary employee’s supervisor must restrict the information to which access
is possible.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 51
 Contract Employees

• Typically hired to perform specific services for an organization.

• Host company often makes contract with a parent organization rather than with
an individual for a particular task.
• In a secure facility, all contract employees are escorted from room to room, as
well as into and out of facility.
• There is need for restrictions or requirements to be negotiated into contract
agreements when they are activated.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 52
 Consultants

• Contracts for consultants should specify all requirements for information or

facility access before being allowed into the workplace.
• Security and technology consultants must be prescreened, escorted, and
subjected to nondisclosure agreements to protect the organization.
• Just because the organization is paying an information security consultant, the
protection of their information doesn’t become the consultant’s top priority.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 53
 Business Partners

• Businesses create strategic alliances with other organizations, desiring to

exchange information, integrate systems, or discuss operations.
• There must be meticulous, deliberate determination of what information is to be
exchanged, in what format, and to whom.
• Nondisclosure agreements and the security levels of both systems must be
examined before any physical integration takes place.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 54
 Summary (1 of 4)
• Where to place the information security function within the organization is a key decision. The
most popular options involve placing information security within IT or the physical security
function. Organizations searching for a rational compromise should place the information
security function where it can balance its need to enforce company policy with its need to deliver
service to the entire organization.
• The selection of information security personnel is based on several criteria, not all of which are
within the control of the organization. In most cases, organizations look for a technically
qualified information security generalist with a solid understanding of how an organization
operates. The following attributes are also desirable:
− An attitude that information security is usually a management problem, not an exclusively
technical problem.
− Good people skills, communication skills, writing skills, and a tolerance for users.
− An understanding of the role of policy in guiding security efforts.
− An understanding of the role of education and training in making users part of the solution.
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 55
 Summary (2 of 4)

− An understanding of the threats facing an organization, how they can become attacks, and
how to protect the organization from information security attacks
− A working knowledge of many common technologies and a general familiarity with most
mainstream IT technologies
• Many information security professionals enter the field through one of two career paths: via law
enforcement or the military, or from other professions related to technical information systems.
In recent years, college students have been able to take courses that prepare them to enter the
information security workforce directly.
• During the hiring process for an information security position, an organization should use
standard job descriptions to increase the degree of professionalism among applicants and to
make sure the position’s roles and responsibilities are consistent with those of similar positions
in other organizations. Studies of information security positions have found that they can be
classified into one of three areas: those that define, those that build, and those that administer.
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 56
 Summary (3 of 4)

• When filling information security positions, many organizations indicate the level of proficiency
required for the job by specifying that candidates have recognizable certifications. Some of the
more popular certifications are the following:
− The (ISC)2 family of certifications, including the Certified Information Systems Security
Professional (CISSP), a number of specialized CISSP certifications, the Systems Security
Certified Practitioner (SSCP), the Associate of (ISC)2, and several other specialized
certifications.
− The ISACA family of certifications, including the Certified Information Security Manager
(CISM), and several other specialized certifications.
− The Global Information Assurance Certification (GIAC) family of certifications, including the
GIAC Information Security Professional and the GIAC Security Leadership Certification.
− CompTIA’s Security+ and EC-Council’s CCISO.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 57
 Summary (4 of 4)

• The general management community of interest should integrate information security

concepts into the organization’s employment policies and practices. Areas in which
information security should be a consideration include employment contracts, new hire
orientation, performance evaluation, termination, and hiring. The hiring process
includes job descriptions, interviews, and background checks.
• Separation of duties is a control used to reduce the chance of any person violating
information security and breaching the confidentiality, integrity, or availability of
information. According to the principle behind this control, any major task that involves
sensitive information should require two people to complete.
• Organizations may need the special services of temporary employees, contract
employees, consultants, and business partners, but these relationships should be
carefully managed to prevent information leaks or theft.
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 58
 Self-Assessment

• In this module you learned about where the information security function can be
placed into the organization’s hierarchy.
• In your opinion, where is the ‘best’ place to have the information security
leadership placed in a larger company of say 10,000 staff?
• Would you have it be in a different place in a much smaller company, say one
with 100 staff?
• If they are not the same, what reason do you have for the difference in
placement?

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 59