13.12 Security Personnel

Getting the most out of these security administration tools requires trained security personnel and special attention to the following certifications and certifying organizations during the hiring process:

• CSA: This person configures and manages fundamental implementations of firewalls. This person possesses the requisite skills to define and configure security policies that enable secure access to information across corporate networks. In addition to these essential skills, a CSA also has the ability to monitor network security activity and implement measures to block intruder access to networks.

• CSE: This person has in-depth knowledge for establishing and managing VPNs and implementing complex installations of firewalls. This person also understands the encryption schemes used by VPNs and firewalls, configures remote access security, writes policy definitions, and modifies attack detection parameters.

• Security certified network architect (SCNA): This person has expertise in cryptography, biometrics, public key infrastructure (PKI) planning and implementation, the Health Insurance Portability and Accountability Act (HIPAA), security response, smart cards, legal and physical security issues, and network forensics.

Among vendors that offer security certifications are Cisco, Check Point, and Symantec. Security expertise can also be demonstrated by passing specific exams on non-security certifications. Microsoft, for instance, does not offer a separate security certification but does offer security-related exams, such as “Designing Security for a Windows 2000 Network,” which serve to demonstrate knowledge of key security issues.

Global Information Assurance Certification (GIAC), an organization founded by the SANS Institute in 1999, offers 10 standalone security certifications in specific areas of expertise, such as firewalls, intrusion, and incident handling.

The nonprofit International Information Systems Security Certification Consortium (ISC)2 offers one of the leading security certifications—the certified information systems security professional (CISSP). The CISSP program offers credentials for those responsible for developing and managing the implementation of security policies, standards, and procedures. Another (ISC)2 certification, the systems security certified practitioner (SSCP), is designed for network and systems administrators involved in security implementations.

The value of these security certification programs is universally recognized. IT organizations should stipulate them in job descriptions and look for them as a means of screening qualified candidates during the hiring process. If layoffs hit the IT department, security certifications can play a role in the decision about who to retain. In fact, 66% of those certified believe their certifications play at least some role in job security.

It pays to recognize that most security breaches originate from within the organization. A network is only as secure as the administrator is trustworthy. Steps can be taken to minimize this risk when filling such sensitive positions. During the hiring process, for example, employers should ensure that references from past employers are thoroughly checked, that the applicant’s resume account for all time from high school to the present, and that the applicant’s work experience and education are not exaggerated. The employer should not be timid about determining the responsibility level of a candidate for employment, even to the point of checking a credit report for excessive indebtedness or bankruptcy or police records for arrests and convictions.

At the same time, trust should not extend to individuals who leave the organization. Upon quitting or dismissal, any computers or devices issued to that person should be immediately retrieved and network privileges revoked. All encryption keys throughout the organization should be changed without delay. Furthermore, that person’s ID badge should be confiscated before he or she is escorted from the building. The harsh reality of network intrusions from within the organization justifies such measures.