2. Contents:
Introduction
The security function within an Organization’s Structure
Staffing the security function
Qualification and Requirements
Entry into security profession
Information Security Positions
Chief information security officer
Security manager
Security technician
Internal security consultant
3. Introduction
Each organization should examine the options possible for staffing the
information security function.
When implementing security in an organization, there are many human
resources issues that must be addressed:
The entire organization must decide how to position and name the security function
within an organization.
The information security community of interest must plan for proper staffing for the
information security function.
The IT community of interest must understand the impact of information security
The general management community of interest must work with the information security
professionals to integrate solid information security concepts
4. The Security Function within an organization’s structure
The security function can be placed within the:
IT function, as a peer of other functions such as networks, applications
development, and the help desk
Physical security function, as a peer of physical security or protective
services.
Administrative services function, as a peer of human resources or
purchasing
Insurance and risk management function
Legal development
5. Staffing the security function
Selecting information security personnel is based on a number of criteria.
Some of these factors are within the control of the organization and others
some are not.
Some of the services are
Qualifications and requirements
Entry into the security profession
Information security positions
6. Qualifications and Requirements:
A number of factors influence an organization’s hiring decisions.
Because information security has only recently emerged as a separate
discipline, the hiring decisions in this field are further complicated by a lack of
understanding among organizations about what qualifications a potential
information security hire should exhibit.
Currently in many organizations, information security teams lack established
roles and responsibilities.
Establishing better hiring practices in an organization requires the following:
The general management community of interest should learn more about
the skills and qualifications for both information security positions and
those IT positions that impact information security.
7. Upper management should learn more about the budgetary needs of the
information security function and the positions within it. This will
enable management to make sound fiscal decisions for both the
information security function and the IT functions that carry out many
of the information security initiatives.
The IT and general management communities should grant appropriate
levels of influence and prestige to the information security function,
and especially to the role of chief information security officer.
When hiring information security professionals, organizations frequently
look for individuals who understand the following:
How an organization operates at all levels
That information security is usually a management problem and is
seldom an exclusively technical problem
8. How to work with people and collaborate with end users, and the
importance of strong communications and writing skills
The role of policy in guiding security efforts, and the role of education and
training in making employees and other authorized users part of the
solution, rather than part of the problem
Most mainstream IT technologies (not necessarily as experts, but as
generalists)
The terminology of IT and information security
The threats facing an organization and how these threats can become
attacks
How to protect an organization’s assets from information security attacks
How business solutions (including technology-based solutions) can be
applied to solve specific information security problems
9. Entry into the Information Security Profession
Many information security professionals enter the field through one of two
career paths:
ex-law enforcement and military personnel involved in national security
and cyber-security tasks, who move from those
environments into business-oriented information security; and technical
professionals—networking experts, programmers, database administrators,
and systems administrators—who find themselves working on information
security applications and processes more often than on traditional IT
assignments.
In recent years, a third (perhaps in some sense more traditional) career path
has developed: college students who select and tailor their degree programs
to prepare for work in the field of information security.
10. Information Security Positions
The use of standard job descriptions can increase the degree of
professionalism in the information security field as well as improve the
consistency of roles and responsibilities among organizations.
Organizations anticipating a revision of these roles and responsibilities can
consult Charles Cresson Wood’s book Information Security Roles and
Responsibilities Made Easy, which offers a set of model job descriptions
for information security positions.
The book also identifies the responsibilities and duties of the members of
the IT staff whose work involves information security.
11. Position in information security
Chief Security
Officer
Information
Security
Consultant
Information Security
Manager
Information Security
Administrator
Information Security
Technician / Engineer
Physical Security
Manager
Physical Security
Officer
12. Chief Information Security Officer (CISO or CSO)
This is typically the top information security officer in the organization.
In many cases, the CISO is the major definer or architect of the
information security program.
The CISO performs the following functions:
Manages the overall information security program for the organization
Drafts or approves information security policies
Works with the CIO on strategic plans, develops tactical plans, and works with security
managers on operational plans
Develops information security budgets based on available funding
Sets priorities for the purchase and implementation of information security projects and
technology
Makes decisions or recommendations on the recruiting, hiring, and firing of security staff
Acts as the spokesperson for the information security team
13. Security Manager
Security managers are accountable for the day-to-day operation of the
information security program.
They accomplish objectives identified by the CISO and resolve issues
identified by technicians.
Management of technology requires an understanding of the technology
administered, but does not necessarily require proficiency in the
technology’s configuration, operation, and fault resolution.
14. Security Technician
Security technicians are the technically qualified individuals tasked to
configure firewalls, deploy IDPSs, implement security software, diagnose
and troubleshoot problems, and coordinate with systems and network
administrators to ensure that an organization’s security technology is
properly implemented.
The position of security technician is often entry level, but to be hired in
this role, candidates must possess some technical skills.
This often poses a dilemma for applicants as many seeking to enter a new
field find it is difficult to get a job without experience—which they can
only attain by getting a job.
15. From internet…
http://www.securitypersonnel.com/
Providing services for securing the business information.
• http://system.vccs.edu/its/standards/PersonnelSecurityStandard.htm
• Personnel Security Standard
Purpose
This standard is intended to ensure security controls and related
procedures are implemented to protect the privacy, security and integrity of
VCCS information technology resources against unauthorized or improper
use, and to prevent and detect attempts to compromise information
technology resources for any employee who is separated, transferred, or
promoted.