Chapter 11 Exercises
1. Search your libraryís database and the Web for an article about people who violate their organizationís policy and are terminated. Did you find many? Why or why not?
a. After searching my libraryís database and searching the Web, I did not find very many articles about people who violate their organizationís policy and were terminated because I donít think organizationís want this information to be public and have people not like their company because of it. Also, these actions are internal, so they are usually not externally reported. The organization doesnít want to reveal weaknesses within their own system or their poor judgment in hiring and/or retention of the terminated employees. Companyís donít typically publish this information for everyone to see because it will end up making them look bad and turning people away from the company.
2. Go to the (ISC)2 Web site at www.isc2.org. Research the knowledge areas included in the tests for the CISSP and SSCP certifications. What areas must you study that are not included in this text?
a. CISSP certification candidates must: subscribe to the ISC2 Code of Ethics, have a minimum of 3 years of full-time security professional work experience in one or more of the test domains of the information security Common Body of Knowledge, information that is not covered in this text are: Application and Systems Development, Law, Investigation, and ethical decision making.
b. SSCP certification candidates must: subscribe to the ISC2 Code of Ethics, have at least 1 year of cumulative work experience in information systems security, experience includes practitioners or other IS security knowledge related jobs that involve direct application, information not covered: Audit, monitoring, malicious code, and malware.
3. Using the Web, identify some certifications with an information security component that were not discussed in this chapter.
a. Some certifications with an information security component that were not discussed in this chapter are:
ii. Microsoft Certified Professional (MCP)
iii. Microsoft Certified Systems Engineer (MCSE)
iv. Microsoft Certified Professional Internet (MCP+I)
v. Microsoft Certified Systems Administrator (MCSA)
vi. Microsoft Certified Professional Security Personnel and IS Maintenance
vii. Site Building (MCP+SB)
viii. Microsoft Certified Solutions Developer (MCSD)
ix. Microsoft Certified Database Administrator (MCDBA)
x. Microsoft Certified Application Developer (MCAD)
xi. Microsoft Certified Trainer (MCT)
xii. Microsoft Office User Specialist (MOUS)
4. Search the Web for at least five job postings for a security analyst. What qualifications do the listings have in common?
Job 5: https://www.glassdoor.com/job-listing/information-security-analyst-i-ii-or-sr-10-fte-essentia-health-JV_IC1156255_KO0,46_KE47,62.htm?jl=2548618034
a. Application Security Architect
b. Security consultant to handle the following tasks:
i. Application Security
ii. LDAP to third party sych (RDBMS, RACF, etc.)
iii. Directory services
iv. Single sign on
v. LDAP-Active Directory, Netscape Directory, or Open LDAP
vi. UNIX Security Architect
vii. Assessing the existing environment, planning a comprehensive security approach, executing the plan to completion, and more.
5. Search the Web for three different employee-hiring and termination policies. Review each and look carefully for inconsistencies. Do each of the policies have sections that address information security requirements? What clauses should a termination policy contain to prevent disclosure of an organizationís information? Create your own version of either a hiring policy or a termination policy.
a. Of the three hiring/termination policies I reviewed, none of them had any information pertaining to information security requirements. All of the them included information about benefits, payment information, and other corporate policy information. The policies always included information about an exit interview. A termination policy should include statements about taking and revealing corporate information that they have learned or have been privileged to while they were employed. It should also include statements concerning deleting or altering company information for malicious purposes. All the statements should clearly define the consequences and lengths to which the company is willing to ensure that the company is protected.