CSS 111 - Introduction to Information System Security
Chapter 11, Security and Personnel
This lesson discusses personnel related aspects to having a security program.
important to this lesson:
- Where should information security be placed
- Issues about staffing information security positions
- Impact of information security on other IT positions
- Integrating security policies into personnel management
11 may be easier to understand if you consider it being applied to a
start-up company, one that is only beginning to define what it is and
what it does. This kind of company is more likely to make the kinds of
decisions about what area IT security should part of. A company with a
long history probably has a structure in place that would be difficult
to change into anything else.
The text discusses what part of an organization might be
the division that contains the IT security functions. Up to this point,
the assumption has been that this is a subset of the functions of the
IT department. Several alternatives are listed, which might be
considered by a company that is deciding how it should be structured.
According to this discussion, IT security functions might be housed in:
- an Information Technology department
- a Security department
- an Administrative Services department
- an Insurance and Risk Management department
- a Legal department
of these suggestions will seem more logical to you than others. The
point is that the structure of a company depends greatly on how the
people who create the structure see the core functions of the company,
and how they see the functions of IT security being administered.
text turns to deciding what kind of people you want working in your IT
security department. This is important for planners, and also important
for people looking for a job in that specialty. As an incentive to
readers, the author quotes a prediction of job growth in IT and IT
security in the period from 2008 to 2018. It should be noted that
projections are not guarantees, and people looking for work should
develop their skills and look where the work is.
being the case, the text turns to qualifications of an IT security
specialist. On pages 475 and 476, there is a bulleted list of soft
skills that may be useful to security staff:
- knowing how your organization works - this is advisable for any employee, and you can't really get it outside the organization
- knowing that security is a management problem - a questionable point of view, not very useful for daily work, but something other managers need to realize more than security staff
- being able to work and communicate with others, especially with people outside the security staff
- general IT knowledge and skills
- specific security knowledge and skills used in your organization
The text mentions that IT security staff tend to come from one of three backgrounds:
police or military IT security, other IT careers, or IT security
students who are applying for positions directly after graduation. This
makes it appear that most hiring in the past has been done by people
looking for security specific experience, IT experience, or specific
training in IT security. In the chapter introduction, the senior
manager of IT is showing interest in a person from the second category.
next several pages describe what some companies might call some IT
security positions and what people working in those positions might do.
This section is entirely theoretical. The actual position descriptions
and duties of such positions will vary greatly from one company to
Pages 481 through 491 discuss several IT security certifications that a professional might pursue. Like other IT fields, certifications in security may be important to some organizations, while others may care more about experience. Some places may see certification as part of an ongoing staff development
program, a way to stay current with developments in the field. That
being the case, there is no point in learning the list of
certifications one might pursue. As part of a job search, make it your
business to find out what certifications (if any) are important to the
organizations you may apply to. You don't want to pursue a position
that you would have qualified for if only you had known to attain a
particular certification first.
ahead to page 494, the text promotes a couple of ideas that are at odds
with each other. It suggests making security issues part of every job
description, yet keeping the descriptions of jobs that are actually in
the security area vague enough that they would not interest people who
might apply solely to learn secrets. I doubt that this method would be
effective. If someone were trying to "infiltrate" your security team,
they would simply interview for any available job, then try to transfer
to a more interesting one later.
The text makes a better point on the next page, that
applicants for security jobs should be subject to background checks.
The focus of such a check may vary greatly depending on the level of
trust that is placed in someone who fills the position. Consider the
bullet list on page 495, which gets more serious as you go down the
list. Most job interview would require checking the first three items:
identity, education and training, and employment history. Some will
check the fourth point, references. The next six items are looking for
various kinds of legal complications in a person's history that would
filter out applicants who are not suited for trusted positions.
The rest of the chapter concerns personnel (human resources)
topics that are not unique to security related jobs. There should be
onboarding and offboarding procedures for all positions. There should
be rules about what contractors and temporary employees are allowed to
do and not allowed to do for any position in the company.