Managing Information Security Personnel
Download
Report
Transcript Managing Information Security Personnel
Managing Information
Security Personnel
By Christopher Boehm
Overview
Introduction
Hiring Process
Contracts
ISO 17799
Terminating Employment
Closing points
Introduction
Security is more a people problem than a
technology problem.
The process to effectively manage
Information Security Personnel starts
before an employee is even hired and
goes all the way to their termination.
Hiring Process
BASIC job postings, no access details.
Background checks!!
Identity
Education
Previous employment
References
Drug history
Credit history (if agreed to)
Contracts
Security agreements
Employment Contingent Upon
Agreement
Current employees cannot be forced into
signing documents to keep their job.
ISO 17799
A Standard Document
Encompasses broad range of information
security issues
Risk Assessment and Treatment
System Policy
Organizing Information Security
Asset Management
Human Resources Security
Physical and Environmental Security
Communications and Operations Management
Access Control
Information Systems Acquisition, Development and Maintenance
Information Security Incident Management
Business Continuity Management
Compliance
Human Resources
Security
a) Ensure that employees, contractors and
third parties are suitable for the jobs they are
considered for, understand their
responsibilities, and to reduce the risk of abuse
(theft, misuse, etc).
b) Ensure that the above are aware of IS
threats and their responsibilities, and able to
support the organization's security policies
c) Ensure that the above exit the organization
in an orderly and controlled manner.
http://17799.denialinfo.com/whatisiso17799.htm
Terminating Employment
Disable access immediately
Return media
Secure hard disks
Change locks
Exit Interview
Escort off premises (if necessary)
Closing points..
NEVER be too paranoid of who you hire!
Keep good security policies in the
forefront of ALL employees’ minds.
Technology alone is not a defense!
Questions?
Comments?