1. Search your libraryís database and the Web for an article about people who violate their organizationís policy and are terminated. Did you find many? Why or why not?
I found a handful of articles discussing termination due to violating a company policy. They generally say the same things, if you violate a policy the employer is completely justified terminating you.† There was a few variations on the overall topic of dismissal, explaining the differences with wrongful termination and violating public policy, being an employee at will, and information on handling and moving forward after such event. I think the articles were fairly generic due to each employer or organization is going to have their own set of policies and how strict to act on a violation.
2. Go to the (ISC)2 Web site at www.isc2.org Research the knowledge areas included in the tests for the CISSP and SSCP certifications. What areas must you study that are not included in this text?
For both certifications, a more in depth focus on operating and implementing cryptographic systems, software development, monitoring and logging of activities, and cloud configuration and security.
3. Using the Web, identify some certifications with an information security component that were not discussed in this chapter.
Microsoft Certified Professional (MCP), Microsoft Certified Systems Engineer (MCSE), Microsoft Certified Professional Internet (MCP+I), Microsoft Certified Systems Administrator (MCSA), Microsoft Certified Professional Solutions Developer (MCSD), Microsoft Certified Database Administrator (MCDBA), Microsoft Certified Application Developer (MCAD).
4. Search the Web for at least five job postings for a security analyst. What qualifications do the listings have in common?
Most require or prefer a BS in Computer Science, anywhere from 2-5 years work experience, knowledge of infrastructure protection and security, CISSP or CISM certification, experience with CISCO and Microsoft.
5. Search the Web for three different employee hiring and termination policies. Review each and look carefully for inconsistencies. Do each of the policies have sections that address information security requirements? What clauses should a termination policy contain to prevent disclosure of an organizationís information? Create your own version of either a hiring policy or a termination policy.
The employee handbook contains the organizationís policy and procedures, including at the very minimum a policy covering acceptable use of the internet and tampering/altering properties. The scope of the policies on information security depend on the company. A company with a CISO will have many information security policies covering but not limited to: restrictions and appropriate use of internet, email, software, passwords, and hardware.
The termination policy covered any properties to be returned (laptops, software, etc.), and any user privileges/accounts access will be terminated. A termination policy should have clauses covering the return of any properties (laptops, files, keys, etc) and what consequences or actions may be taken if necessary. Also review confidentiality agreement too.
The intent of this policy is to ensure that employee terminations, including voluntary and involuntary terminations are handled in a professional manner with minimal disruption to the workplace.
Employment with is voluntary and subject to termination by the employee or at will, with or without cause, and with or without notice, at any time. Nothing in these policies shall be interpreted to eliminate or modify in any way the employment-at-will status of employees.
A voluntary termination of employment occurs when an employee submits a written or verbal notice of resignation to his or her supervisor or when an employee is absent from work for three consecutive workdays and fails to contact his or her supervisor (job abandonment).
Employees are requested to provide a minimum of two weeks' notice of their intention to separate from the company. The employee should provide a written resignation notification to his or her manager. Upon receipt of an employee's resignation, the manager will notify the human resource (HR) department by sending a copy of the resignation letter and any other pertinent information (e.g., employee's reason for leaving, last day of work).
The inability of an employee to perform the essential functions of his or her job with or without a reasonable accommodation may also result in an involuntary termination. An employee may also be discharged for any legal reason, including but not limited to: misconduct, tardiness, absenteeism, unsatisfactory performance or inability to perform.
Before any action is taken to involuntarily discharge an employee, the employee's manager must request a review by the termination review board. The termination review board will be responsible for reviewing the circumstances and determining if discharge is warranted. If the board recommends discharge, the employee's manager and an HR representative will notify the employee. The employee's manager notifies HR and payroll of the last day worked by the employee.
An employee who resigns or is discharged will be paid through the last day of work, plus any unused paid time off (PTO), less outstanding loans, advances or other agreements the employee may have with the company, in compliance with state laws.
Information Security and Property
Terminating employees are required to return to their supervisor all property, equipment, and materials which were issued to them during employment. This includes, but is not limited to, keys and passes. These items shall be returned on or before the last day of the individual's employment.
Supervisors or other responsible administrators shall determine a date to revoke access rights to various property and information, including but not limited to building access, computer systems and accounts, and information access privileges on or before the date of termination.