Security Management Practices - In Depth Notes

Objectives of Security Management Practices

• List the elements of key information security management practices.
• Discuss and implement information security constraints on general hiring processes.
• Explain the role of information security in employee terminations.
• Describe the security practices used to regulate employee behavior and prevent misuse of information.
• Describe the key components and suitable strategies for implementing a security performance measurement program.
• Discuss various types of benchmarking and their use in security planning.

Introduction to Security Practices

• Organizations aim to deliver maximum value with a given investment, known as the "value proposition."
• Effective InfoSec management practices contribute to achieving this objective.
• Crucial for InfoSec to collaborate closely with Human Resources (HR) for managing personnel-related risks to information assets.
• This collaboration extends to contract employees and individuals from partner organizations.
• Executives seek verification of management practice quality through benchmarking and compliance measurement.

Security Employment Practices

Integration of InfoSec into Employment Practices

• InfoSec concepts should permeate all employment policies to enhance organization-wide security awareness.
• Involvement of InfoSec in the management of hiring processes critically influences organizational security.

Key Concepts in Hiring Processes

Job Descriptions

• Job descriptions must integrate InfoSec responsibilities and avoid detailed system access disclosures to prevent security risks.

Background Checks

• Mandatory background checks before hiring are critical to verify candidates' integrity and identify potential risks.
• Background checks may involve: identity verification, education and credential checks, employment verification, and criminal record checks.
• Regulations like the Fair Credit Reporting Act (FCRA) govern background check practices and what can be disclosed.

Employment Contracts

• Employment contracts serve as security instruments requiring signed agreements to organizational policies.

New Hire Orientation

• Extensive InfoSec training should be provided during the orientation to prepare employees for their responsibilities.

Employee Termination Practices

Security Considerations During Termination

• A structured termination process is essential to protect organizational information.
• Key termination actions include disabling access to systems, securing data, and conducting exit interviews to remind employees of obligations such as non-disclosure agreements.

Hostile vs. Friendly Departures

• Procedures differ based on the nature of departure; hostile terminations require more stringent controls and escorting out of the employee.

Personnel Security Practices

Methods to Prevent Misuse of Information

• Separation of duties, two-person control, and mandatory vacations are practices that reduce opportunities for employees to misuse information.
• Least privilege access is crucial, granting employees access only to the information necessary for their roles.

InfoSec Performance Management

Importance of Performance Measurement

• Organizations must consistently measure the effectiveness of InfoSec policies and services.
• There are three types of measurements: execution effectiveness, efficiency of service delivery, and incident impact assessment.

Building a Performance Measurement Program

• Key steps include identification of measures, data collection framework, and implementation of corrective actions based on the data collected.

Benchmarking

Definition and Importance

• Benchmarking involves comparing organizational efforts with similar organizations or established standards to identify practices that yield better outcomes.
• Categories include external benchmarking (comparison with other organizations) and internal benchmarking (comparison against past performance).

Standards of Due Care and Due Diligence

• Organizations may need to establish minimum security levels, termed "due care," to demonstrate compliance and mitigate liability risks.
• Recommended security practices aim for a superior level of information protection, balancing accessibility and security.