CSS 111 - Introduction to Information System Security

Chapter 11, Security and Personnel

Objectives:

This lesson discusses personnel related aspects to having a security program. Objectives important to this lesson:

1. Where should information security be placed
2. Issues about staffing information security positions
3. Impact of information security on other IT positions
4. Integrating security policies into personnel management

Concepts:

Chapter 11

Chapter 11 may be easier to understand if you consider it being applied to a start-up company, one that is only beginning to define what it is and what it does. This kind of company is more likely to make the kinds of decisions about what area IT security should part of. A company with a long history probably has a structure in place that would be difficult to change into anything else.

The text discusses what part of an organization might be the division that contains the IT security functions. Up to this point, the assumption has been that this is a subset of the functions of the IT department. Several alternatives are listed, which might be considered by a company that is deciding how it should be structured. According to this discussion, IT security functions might be housed in:

• an Information Technology department
• a Security department
• an Administrative Services department
• an Insurance and Risk Management department
• a Legal department

Some of these suggestions will seem more logical to you than others. The point is that the structure of a company depends greatly on how the people who create the structure see the core functions of the company, and how they see the functions of IT security being administered.

The text turns to deciding what kind of people you want working in your IT security department. This is important for planners, and also important for people looking for a job in that specialty. As an incentive to readers, the author quotes a prediction of job growth in IT and IT security in the period from 2008 to 2018. It should be noted that projections are not guarantees, and people looking for work should develop their skills and look where the work is.

That being the case, the text turns to qualifications of an IT security specialist. On pages 475 and 476, there is a bulleted list of soft skills that may be useful to security staff:

• knowing how your organization works - this is advisable for any employee, and you can't really get it outside the organization
• knowing that security is a management problem - a questionable point of view, not very useful for daily work, but something other managers need to realize more than security staff
• being able to work and communicate with others, especially with people outside the security staff
• general IT knowledge and skills
• specific security knowledge and skills used in your organization

The text mentions that IT security staff tend to come from one of three backgrounds: police or military IT security, other IT careers, or IT security students who are applying for positions directly after graduation. This makes it appear that most hiring in the past has been done by people looking for security specific experience, IT experience, or specific training in IT security. In the chapter introduction, the senior manager of IT is showing interest in a person from the second category.

The next several pages describe what some companies might call some IT security positions and what people working in those positions might do. This section is entirely theoretical. The actual position descriptions and duties of such positions will vary greatly from one company to another.

Pages 481 through 491 discuss several IT security certifications that a professional might pursue. Like other IT fields, certifications in security may be important to some organizations, while others may care more about experience. Some places may see certification as part of an ongoing staff development program, a way to stay current with developments in the field. That being the case, there is no point in learning the list of certifications one might pursue. As part of a job search, make it your business to find out what certifications (if any) are important to the organizations you may apply to. You don't want to pursue a position that you would have qualified for if only you had known to attain a particular certification first.

Skipping ahead to page 494, the text promotes a couple of ideas that are at odds with each other. It suggests making security issues part of every job description, yet keeping the descriptions of jobs that are actually in the security area vague enough that they would not interest people who might apply solely to learn secrets. I doubt that this method would be effective. If someone were trying to "infiltrate" your security team, they would simply interview for any available job, then try to transfer to a more interesting one later.

The text makes a better point on the next page, that applicants for security jobs should be subject to background checks. The focus of such a check may vary greatly depending on the level of trust that is placed in someone who fills the position. Consider the bullet list on page 495, which gets more serious as you go down the list. Most job interview would require checking the first three items: identity, education and training, and employment history. Some will check the fourth point, references. The next six items are looking for various kinds of legal complications in a person's history that would filter out applicants who are not suited for trusted positions.

The rest of the chapter concerns personnel (human resources) topics that are not unique to security related jobs. There should be onboarding and offboarding procedures for all positions. There should be rules about what contractors and temporary employees are allowed to do and not allowed to do for any position in the company.