Information Security Department Placement Process

5. 1. Placement Initiation

This section discusses the Placement Initiation phase, as mandated by TOP Management <Organization Agency Name>

will be required to have an Information Security function.

A GAP analysis needs to be conducted before establishing an Information Security function, the GAP analysis outcome will identify missing areas of an Information Security function (provided an Information Security function exists), here after it will be the responsibility of Top Management to create an Information Security function as stated in this guide.

Security is the responsibility of everyone within the company. All end users are responsible for understanding policies and procedures applicable to their particular job function and adhering to the security control expectations. Users must have knowledge of their responsibilities and be trained to a level that is adequate to reduce the risk of loss

Although exact titles and scope of responsibility of individuals may vary by Agency, the following roles support the implementation of security controls. An individual may be performing multiple roles when the processes are defined for an Agency, depending upon existing constraints and Agency structure. It is important to provide clear assignments and accountability to designated employees for various security functions to ensure that the tasks are being performed.

Communication of the responsibilities for each function, through distribution of policies, job descriptions, training, and management direction provides the foundation for execution of security controls by the workforce.

5. 1. 1. Roles & Responsibilities

5. 1. 1. 1. Top Management

Top management has overall responsibility for protection of information assets. Agency operations are dependent upon information being available, accurate, and protected from individuals without a need to know.

Financial losses can occur if the confidentiality, integrity, or availability of information is compromised. Members of the management team must be aware of the risks that they are accepting for an Agency, either through explicit decision making or the risks they are accepting by failing to make decisions or to understand the nature of the risks inherent in the existing operation of the information systems.

5. 1. 1. 2. Security Officer

The security officer directs, coordinates, plans and organizes information security activities throughout the Agency. The security officer works with many different individuals, such as executive management, business unit management, technical staff, and third parties such as auditors and external consultants. The security officer and his team are responsible for the design, implementation, management and review of the Agency security policies, standards, procedures, baselines, and guidelines.

5. 1. 1. 3. Information Systems Auditor

The information systems auditor determines whether systems are in compliance with adopted security policies, procedures, standards, baselines, designs, architectures, management direction, and other requirements. Auditors provide independent assurance to management on the appropriateness of the security objectives. The auditor examines information systems and determines whether they are designed, configured, implemented, operated, and managed in a way that the organizational objectives are being achieved. The auditors provide top company management with an independent view of the controls that have been adopted and their effectiveness. Samples are extracted to test the existence and effectiveness of information security controls.

118

5. 1. 1. 4. Security Administrator

Security administrators manage user access request processes and ensure that privileges are provided to those individuals who have been authorized for access by management. These individuals have elevated privileges; they and create and delete accounts and access permissions. Security administrators also terminate access privileges when individuals leave their jobs or transfer among company divisions. Security administrators maintain records of approvals as part of the control environment and provide these records to information systems auditors to demonstrate compliance with policies.

5. 1. 1. 5. Physical Security

The individual(s) assigned to the physical security role establishes relationships with external law enforcement, such as the local police agencies, state police to assist in incident investigations. Physical security personnel manage the installation, maintenance, and ongoing operation of CCTV surveillance systems, burglar alarm systems, and card reader access control systems. Guards are placed where necessary as a deterrent to unauthorized access and to provide safety for the company employees. Physical security personnel interface with systems security, human resources, facilities, legal, and business areas to ensure that all practices are integrated.

5. 1. 1. 6. Help Desk Administrator

As the name implies, the help desk is there to handle questions from users that report system problems through a ticketing system. Problems may include poor response time, potential virus infections, unauthorized access, inability to access system resources, or questions on the use of a program. The help desk administrator contacts the computer emergency response team (CERT) when a situation meets the criteria developed by the team. The help desk resets passwords, resynchronizes/reinitializes tokens and smart cards, and resolves other problems with access control. These functions may alternatively be performed through self-service by the end-users, or by another area such as the security administration, systems administrators, etc., depending upon the organizational structure and separation of duties principles in use at the Agency.

5. 2. Placement Planning

Proper staffing is a success factor to the Information Security function. After defining the roles and responsibilities of the proposed placement options, the <Organization Agency Name> should consider the following:

•

Develop a skills set matrix (refer to sample below) with the required skills needed.

Skills Set Matrix

Certifications

Candidate CISM CISSP CISA CCSP CPP CEH GIAC ISO 27001 Other IS Qualifications/

Training Name

Name Name Name Name Name

•

Communicate the skill set needed and the timelines of when it’s needed with HR

•

Initiate the recruitment process



Collect CVs



Short list and identify the prospective employees with the required characteristics



Arrange interviews with the selected candidates

120

5. 3. Placement Execution

In the Placement Execution phase, <Organization Agency Name> should start the decision making process pertaining the qualified candidates to fill the various positions based on the placement options mentioned earlier in this document.

•

Candidates should be hired according to the <Organization Agency Name> hiring process.

•

Upon the candidates’ arrival to <Organization Agency Name>, an induction/orientation should be conducted to ensure a smooth start.

5. 4. Placement Monitoring & Controlling

To ensure the continuous success of the Information Security function, <Organization Agency Name> should consider the following:

•

Undergo annual evaluations of employees

•

Develop and maintain Job Descriptions

•

Develop and maintain career development plans

•

Conduct an annual skill set Gap Assessment



Develop a regularly updated training curriculum for each target group of employees taking the following into consideration:



Current and future business needs and strategy



Corporate values (ethical values, control and security culture, etc.)



Implementation of new IT infrastructure and software (i.e., packages, applications)



Current and future skills, competence profiles, and certification and/or credentialing needs as well as required re-accreditation



Delivery methods (e.g., classroom, web-based), target group size, accessibility and timing

Chapter 7

In document Information Security Policies and Procedures Development Framework for Government Agencies. First Edition AH (Page 116-121)