Deck 11: Personnel and Security

If you were Iris, how would reply to Gloria's question

Certification does not guarantee the best people. Certification only guarantees that one has gained professional qualification in the respective field. This can be good for one to have basic right on job and to understand conceptual knowledge about the subject.
But in order to be exceptionally good equally important requirements include the following:
• Learning ability
• Consistent Performer
• Team Player
• Presentation
• Demonstrative Skills
• Experience
• Educational Background
• Communication
• IQ
• Reasoning ability and many more.
These requirements vary from job to job. A recruiter must set balance in between desired and essential qualifications.
Person I should explain the above mentioned information to G and should ask her to shortlist the people accordingly.

Using the Internet, find at least five job postings for security administrators. What qualifications do the listings have in common Did any of the listings include any qualifications that seemed unusual or different from what was expected

Following are the qualifications needed for security administrators common in different companies:
• Candidate should hold Bachelor or Graduation degree in computer science
• For accurate trouble shooting comprehensive knowledge is must.
• Need to interact with all the stakeholders and clients as per the requirement.
• Candidate should be able to manage and meet the deadlines, Knowledgeable and self-motivated.
• Need to communicate effectively with the team members and able to work and supervise by yourself.
• Strong interpersonal skills for guiding and sharing knowledge among the team.
• 5+ years related experience in reputed companies on Firewall and other network troubleshooting.
• Should have experience in Reporting and presentation to the higher level management
• Candidate should have at least one Firewall certification
• Candidate will need to analyze the issue log to decoding the error, expertise in firewall management as well as configuration of the same. Also need to work on remote access and network based threats that the organization might be faced.
Following are some unusual qualification asked other than what was expected:
• Candidate should work on the project of Company Data center Transformation
• It is also required that he or she worked on the Migration project which can be of LAN/ WAN
• As part of the business continuity plan, experience is must in Recovery and disaster management.

Looking back at the opening case scenario, did the HR staff that failed to report the candidate's conviction and parole on the "approval to hire" form commit an ethical lapse, or was it just a clerical error

The HR staff who failed to reports the candidate's conviction and parole on the "approval to hire" form must have committed an ethical lapse. Before offering a job to any candidate, organization should conduct a background check regardless of the job level.
A background check can reveal past criminal records or other important issues that is against the industry rule. Offering such applicant the job would be the violation of legal laws. Any hiring decision must be abide by a number of rules and regulations that govern the organization to investigate and collect the required information. The security and HR managers should have discussion with legal body to finalize which regulations the organization will follow.
The background check differs in the level of detail and depth. In the business world, the detail of background check depends on the level of security required for the particular job profile. Considering the InfoSec positions, the background check should be reasonably strict. In case of law enforcement profile or high-security positions, polygraph tests should be taken. Emphasizing on the current scenario, the HR staff should have verified all the below checks before processing the employment to the approval to hire:
• Identity checks
• Drug history
• Medical history
• Credit history
• Civil court history
• Criminal court history
Once the candidate got the offer, the contract of employment becomes an important security deed. So failing to report about background checks is a serious offence before offering the job and a great concern to the organization regarding the ethical front where the job profile demands high security.

When an organization undertakes an InfoSec-driven review of job descriptions, which job descriptions must be reviewed Which IT jobs not directly associated with information security should be reviewed

What, if anything, is wrong with the human resources focus depicted here Examine the relationship between certifications and experience. Do certifications alone identify the job candidates with the most appropriate expertise and work experience

Go to the (ISC) 2 Web site (www.isc2.org). Research the body of knowledge requirements for the CISSP and the SSCP. Which required areas are not covered in this text

The company seems to prohibit the hiring of anyone with a felony conviction for any position. Do you think this is an ethically valid practice for this, or any, company to block hiring any felon, of should the nature of the crime for which they were convicted by part of the decision Why or why not

List and describe the criteria for selecting InfoSec personnel.

Using the Internet, search for three different employee hiring and termination policies. Review each and look carefully for inconsistencies. Does each have a section addressing the requirements for the security of information What clauses should a termination policy contain to prevent disclosure of the organization's information Create your own variant of either a hiring or a termination policy.

What are some of the factors that influence an organization's hiring decisions

Using your local telephone directory, locate a service that offers background checks. Select one at random and call to determine the costs of conducting such checks. How much should an organization spend on conducting these checks if it interviews dozens of potential employees

What attributes do organizations seek in a candidate when hiring InfoSec professionals Prioritize this list of attributes and justify your ranking.

Using the descriptions given in this chapter, write a job description for Iris's new position, which is described in the following case scenario. What qualifications and responsibilities should be associated with this position

What are the critical actions that management must consider taking when dismissing an employee Do these issues change based on whether the departure is friendly or hostile

How do the security considerations for temporary or contract workers differ from those for regular employees

Which two career paths are the most commonly encountered as entrees into the Info- Sec discipline Are there other paths If so, describe them.

Why is it important to have a body of standard job descriptions for hiring InfoSec professionals

What functions does the CISO perform, and what are the key qualifications and requirements for the position

What functions does the security manager perform, and what are the key qualifications and requirements for the position

What functions does the security technician perform, and what are the key qualifications and requirements for the position

What functions does the internal security consultant perform, and what are the key qualifications and requirements for the position

What is the rationale for acquiring professional credentials

List and describe the certification credentials available to InfoSec professionals.

In your opinion, who should pay for the expenses of certification Under what circumstances would your answer be different Why

List and describe the standard personnel practices that are part of the InfoSec function. What happens to these practices when they are integrated with InfoSec concepts

Why shouldn't you show a job candidate secure areas during interviews

List and describe the types of nonemployee workers often used by organizations. What special security considerations apply to such workers, and why are they significant

What is separation of duties How can this method be used to improve an organization's InfoSec practices

What is least privilege Why is implementing least privilege important