SEU_CYS566_M03

CSU Global Live Session - Module 3 Overview

Module Information

• Course: CYS566 - People and Information Management

• Instructor: [Name not specified]

• Institution: CSU Global

Module 3 Learning Outcomes

• Define how companies keep employees’ information safe.

• Determine best options for security education and training.

• Explain role-based training.

• Develop standards for information classification.

• Describe privacy principles and policies.

• Explain different document retention/holding policies.

Chapter 5: People Management

Overview of People Management

• Human Resource Security: Encompasses employee organization relationship pre-employment, during employment, and post-employment.

• Security Awareness/Education: Focuses on the security-related training of employees regarding general security and IT asset usage.

Human Resource Security

• Categories of Security Problems

  • Non-malicious (Unintentional): Accidental actions causing security incidents due to lack of training or awareness.

  • Malicious (Intentional): Employees knowingly violating security controls can cause significant harm.

• Consequences: Issues may arise from negligence or a lack of awareness about security protocols.

Security Objectives in Hiring (ISO 27002)

• Ensure employees, contractors, and third-party users understand their responsibilities and suitability for their roles.

Background Checks and Screening

• Importance of thorough background checks despite challenges:

  • Inflated resumes and corporate policies limiting information on former employee performance.

  • Employers must be proactive to prevent negligent hiring, which can lead to liability.

Guidelines for Checking Applicants

• Collect detailed employment and educational history.

• Validate applicant information through interviews and background checks like criminal and credit checks.

Employment Agreements

• Employees must sign contracts outlining their responsibilities regarding information security, including confidentiality and adherence to security policies.

During Employment

• Responsibilities of employees include:

  • Awareness of security threats.

  • Responsibility for maintaining organizational security policies.

• Key components of personnel security:

  • Comprehensive security policy.

  • Ongoing awareness and training programs.

Principles for Personnel Security

• Least Privilege: Grant the minimum access necessary.

• Separation of Duties: Ensure checks are independent from actions.

• Limited Dependence: Reduce risk from key employees with unique skills.

• Dual Operator Policy: Certain tasks require two approvals.

• Mandatory Vacations: Help identify employees involved in misconduct.

Termination of Employment

• Key security actions during termination include:

  • Revoking access to systems and information.

  • Ensuring no unauthorized accounts exist.

  • Recovering organizational assets.

Security Awareness

• Security responsibilities must be communicated to all employees, with a focus on ongoing training addressing various subjects including social engineering and physical security.

Awareness Program Communication Materials

• Utilize both in-house and external materials to reinforce security awareness through various formats (e.g., newsletters, workshops, training sessions).

Cybersecurity Essentials Program

• Defined by NIST SP 800-16: A framework for individuals to protect electronic information and systems focusing on universal key security practices.

Role-based Training

• Aimed at individuals with functional roles regarding IT systems; focuses on teaching specific skills rather than just raising awareness.

• Four key roles in SP800-16 include: Manage, Design, Implement, Evaluate.

Education and Certification

• Various certifications exist for security professionals, including:

  • GSEC, CISSP, SSCP, CISM, and SANS certifications.

People Management Best Practices

• Best practices divided into two areas: Human resource security (employment life cycle, remote working) and Security awareness (education, program messages).

Chapter 6: Information Management

Information Classification and Handling

• Importance of classifying information based on its sensitivity and potential impact in case of a breach.

• ISO 27001 security controls include the requirement for information classification, labeling, and handling.

Identifying Information Types

• Covers various forms of information from electronic to physical, ensuring all data types are catalogued for proper handling.

Information Labeling

• Each information type must have clear labels to prevent unauthorized access and ensure classification is identifiable.

Privacy

• Defined as the right to control personal information and prevent unauthorized access, particularly concerning personally identifiable information (PII).

Privacy Controls

• Organizations need comprehensive privacy controls to comply with regulations and protect PII, as outlined in NIST SP 800-53.

• Includes elements like security measures and transparency protocols regarding information practices.

Documents and Record Management

• Documents: Structured information about processes or policies.

• Records: Official evidence of actions taken, typically immutable post-creation.

  • Three stages of record management: Active, Semi-active, Inactive.

Information Management Best Practices

• Focus on classification, privacy, document management, and safeguarding sensitive information through compliant practices.