Lesson 22 of 33
In Progress

Resource On-boarding Process

1.              Introduction

2.1         Purpose

The purpose of this document is to provide information about the activities and steps required to on-board new staff (new joiner) in the Global Security Operations Centre (GSOC). The document describes the steps to undertake, along with the resources necessary from the pre-joining (hiring phase) up to completion of on-boarding.

2.2         Scope

The scope covers the personnel resource on-boarding process within the KPMG Global SOC (GSOC).

2.3         Ownership

The responsibility of ownership and ongoing management of this document, including the processes contained therein, rests with the GSOC Director.

2.4         Audience

The intended audience for this document is the Global SOC Team. The document may also be viewed by KPMG International and Member Firms management that are responsible for and/or have established interest in this area.

2.5         Reporting Violations

Any violations to the contents of this document should be reported directly to the following email address: << GSOC-Manager@kpmg.com[K1]  >>

2.6         Responsibilities

The following roles have responsibilities for respective components of this on-boarding process.

Please note that these are not comprehensive listing of responsibilities of each of the following roles, but only represent high level role specific responsibilities to support this process.

2.6.1       HR Team

The HR team are ultimately responsible for hiring and sourcing for personnel to work in the GSOC. They will work with the GSOC Operations Manager to identify suitable candidates within and outside the firm to fill up available vacancies within the GSOC.

The HR team are typically involved with the external sourcing (hiring) of staff while the One Firm Resourcing team are involved with internal sourcing e.g. secondments of staff with required skill sets to fill up available vacancies.

2.6.2       GSOC Director

The GSOC Director will ensure that relevant processes are in place to enable effective on-boarding.

2.6.3       GSOC Operations Manager

The GSOC Operations Manager will work with HR teams to identify suitable candidates to work within the GSOC, defining start date, assignment of Buddy as well as working with HR to design an induction schedule for the new joiner.

2.6.4       Buddy

A Buddy is a member of staff within the GSOC that is assigned to the new joiner. This is to assimilate the person into the GSOC and KPMG, and ensure that the new joiner gets all the information to allow them to perform their day to day job.

A Buddy is expected to be someone who has been in the GSOC for 12 months. The exception to this is when the GSOC is under the build phase in which case another member of staff from the firm may be assigned as the buddy.

2.6.5       KPMG IT and

Access to KMPG Corporate Infrastructure is to be provided to all GSOC members.

2.6.6       GSOC IT

GSOC resources will be provisioned to users in accordance with their roles and requirements.

2.6.7       New Joiner

This is the new member of staff joining the GSOC. They could be externally sourced via Human Resource team or internally sourced via the internal resourcing team. Internally sourced candidates could be on secondment (over a pre-defined period of time) or transferred fully to the GSOC function.

However, irrespective of how the joiner is sourced, this document defines the steps to on-board the new staff to the GSOC.

2.7         Upstream (Dependent) Processes

2.8         Downstream (Affected) Processes

3    The On-boarding Process

3.1         Process Overview

Figure 1: High level steps in the on-boarding process

3.2         Process Description

The phases involved in the on-boarding process highlighted in the process flow diagram above are explained below.

3.2.1       Staff Hire, HR On-boarding and Preparation of Induction Schedule

The process of sourcing and hiring people into the GSOC will follow the existing KPMG HR hiring procedures and the Internal Resourcing team procedures for staff transfer or secondments as applicable.

The HR team and the GSOC Operations Manager will agree on staff start (joining) date and a suitable Buddy for the new Joiner.

The choice of Buddy will typically be influenced by the role and grade of the new joiner. As such, an ideal buddy shall be a staff with at least 12 months experience in KPMG.

The GSOC Operations Manager will create the induction schedule in collaboration with the Buddy to ensure that key personnel to provide shadowing are available during the time of on-boarding. They will also ensure that suitable workspace and tools that will be needed by the new joiner are made available.

3.2.2        General IT Induction

Every new joiner to KPMG is expected to undertake a General IT induction course on commencement where basic joining activities are highlighted as well as basic introduction to KPMG business and productive tools e.g. Timesheet, Expense, SAP ERP services, mail systems etc.

However, internally sourced personnel will not be required to go for this course as they have been through this process. However, an assessment would need to be carried out for international secondees to determine whether the induction is required.

The Buddy will book induction for the new joiner by contacting relevant contacts from the HR Onboarding Team and direct the new joiner when they report to the GSOC.

Upon completion of the induction, for external hires or on the day of reporting for internal hires, the new joiner will be introduced to the Buddy who will work with the new joiner to execute the rest of the on-boarding tasks.

3.2.3       Introduction to GSOC Members

Upon commencement (and completion of the General IT induction if externally sourced), the Buddy will introduce the new joiner to the existing GSOC members of staff and other key stakeholders. This is aimed at setting the tone for fostering good working relationships between the new joiner and the rest of the team.

At a time fitting, all new joiners will be introduced to the Global CISO.

3.2.4       General On-boarding Activities

After the introduction and other formalities, the Buddy shows the new staff his desk and guides him through executing the general on-boarding activities in accordance with requirements specified in [1].

The actual training needed to be completed by the new joiner will be mandated by HR. However, the GSOC may mandate new joiners to undergo training specific to the GSOC. This shall be done in accordance with the Training Catalogue and Skills Matrix.

Also, as part of the general on-boarding activities, the Buddy shall take the new joiner on a tour of the office during his first day at work.

A full listing of on-boarding activities are provided in the “On-Boarding Guide/Checklist”. This document is a living document and shall be updated regularly in line with new business requirements.

3.2.5       GSOC Induction

The GSOC Operations Manager shall co-ordinate a GSOC induction program for new joiners. This will provide an overview of the functions, organisational structure and operations of the GSOC as well as key processes, procedures and governing policies.

3.2.6       Personnel Shadowing

This phase involves assigning the new joiner to an existing GSOC staff for shadowing (understudy). This shadowing process will be in phases which start with an initial 100% monitoring up to 50% monitored understudy. This shadowing schedule and its timeline will be determined by the Buddy in consultation with the GSOC Operations Manager and may vary per individual/role as well as the urgency. The following table indicates the timelines for how shadowing will change per role.

RoleShadowing PercentageLength
L1 Analyst100%2 week(s)
50%1 week(s)
25% 1 week(s)
L2 Analyst100%1 week(s)
50%1 week(s)
25% 2 week(s)
Content Developer100%0 week(s)
50%1 week(s)
25% 1 week(s)
Threat Analyst100%0 week(s)
50%1 week(s)
25% 1 week(s)
Tooling Engineer100%1 week(s)
50%2 week(s)
25% 1 week(s)

3.2.7       Demonstrating Knowledge of Key Processes to Buddy

Upon providing confidence that the individual has an adequate level of knowledge to carry out the tasks, the shadowing will be reduced to indicate the level of capability of the individual.

However, if unsatisfactory, the new joiner will return to the shadowing phase. The Buddy will provide feedback on specific areas of weaknesses to guide the new joiner.

3.2.8       Final Evaluation of On-boarded Resource

This stage is conducted by the GSOC Operations Manager and an experienced personnel in a similar role to that of the new joiner.

Here the joiner is evaluated on their ability to demonstrate requisite skill in handling scenarios presented before them by the team.

3.2.9       Initiate Suitability

Where a new joiner repeatedly fails to demonstrate the capabilities required to successfully fulfil their role, the GSOC will initiate performance review through the individual’s performance manager.

3.2.10   Completion of On-boarding

At this point, the new joiner is believed to have settled into their role and can work independently in executing their role requirements.

The on-boarding process is deemed completed.

3.3         User Provisioning

Provisioning of the user involves the creation of access rights to information assets/resources as well as asset assignment.

As a guiding principle, access rights shall be provided on a need-to-know basis.

User provisioning will be implemented as a two tiered process that involves access to General KPMG Resources and access to GSOC Specific Resources. This is discussed further below.

3.3.1       Access to General KPMG Resources:

Access to General KPMG resources will be handled by the IT Engineers and Security Department (Central Services) upon the advice of the Human Resources team and the GSOC Manager. This will include access to work spaces (ID card and PIN codes, where applicable), enterprise network (including work station setup), creation of email address for the new joiner (for externally sourced) and addition to applicable distribution lists, group mail boxes and shared resources.

3.3.2       Access to GSOC Specific Resources

Access to the GSOC specific resources will be handled by the GSOC Tooling Engineer. The tooling engineer will be responsible for platform provisioning, user creation/addition on the GSOC specific solutions as well as role assignment.

No single role of person can request and authorise access to any GSOC resources.

This will be done based on approvals by the appropriate management.

3.3.3       Level 1 Tools / Platforms

The L1 Analyst(s) will be provided access to the following tools through the Research Lab.

Linux Free and Open Source Tools

NameDescriptionLocation
aliasAlias for commandsBuilt-in command
awkPattern scanning and text processing languageBuilt-in command
base64Base64 encode/decode data and print to standard outputBuilt-in command
cat Concatenate files and print on the standard outputBuilt-in command
CdChange directoryBuilt-in command
curlTransfer URLBuilt-in command
DdConvert and copy a fileBuilt-in command
DiffCompare files line by lineBuilt-in command
DigDNS lookup utilityBuilt-in command
dos2unixDOS/Mac to Unix and vice versa text file format converterBuilt-in command
egrepprint lines matching a patternBuilt-in command
fileDetermine file typeBuilt-in command
findSearch for files in a directory hierarchyBuilt-in command
grepPrint lines matching a patternBuilt-in command
gzipCompress or expand filesBuilt-in command
hostDNS lookup utilityBuilt-in command
lsList directory contentsBuilt-in command
lynxCLI BrowserBuilt-in command
md5sumCompute and check MD5 message digestBuilt-in command
mountMount a filesystemBuilt-in command
nanoNano’s ANOther editor, an enhanced free Pico cloneBuilt-in command
ncNetwork swiss army toolBuilt-in command
perlPerl language interpreterBuilt-in language
pingSend ICMP ECHO_REQUEST to network hostsBuilt-in command
psReport a snapshot of the current processesBuilt-in command
pythonAn interpreted, interactive, OO programming languageBuilt-in language
rdesktopRemote Desktop Protocol ClientBuilt-in command
rmRemove files or directoriesBuilt-in command
scpSecure copy (remote file copy command)Built-in command
sedStream editor for filtering and transforming textBuilt-in command
sha1sumCompute and check SHA1 message digestBuilt-in command
sortSort lines of text filesBuilt-in command
splitSplit a file into piecesBuilt-in command
sshOpenSSH SSH client (remote login program)Built-in command
tailOutput the last part of filesBuilt-in command
tar Unpacking an archiveBuilt-in command
telnetUser interface to the TELNET protocolBuilt-in command
touchChange file timestampsBuilt-in command
uniqReport or omit repeated linesBuilt-in command
upxCompress or expand executable filesBuilt-in command
vimVi IMproved, a programmers text editorBuilt-in command
watchExecute a program periodically, showing output fullscreenBuilt-in command
wget The non-interactive network downloader.Built-in command
whoisSearches for an object in a RFC 3912 database.Built-in command
zipPackage and compress (archive) filesBuilt-in command

Windows Tools

NameDescriptionLocation
TasklistTaskList displays all running applications and services with their Process ID.Built-in command
SysteminfoDisplays detailed configuration information about a computer and its operating system, including operating system configuration, security information, product ID, and hardware properties, such as RAM, disk space, and network cards.Built-in command
Windows ‘Net’ commands Used to manage networks and other functions: [ ACCOUNTS | COMPUTER | CONFIG | CONTINUE | FILE | GROUP | HELP | HELPMSG | LOCALGROUP | PAUSE | SESSION | SHARE | START | STATISTICS | STOP | TIME | USE | USER | VIEW ]Built-in command
PstoolsThe PsTools suite includes command-line utilities for listing the processes running on local or remote computers, running processes remotely, rebooting computers, dumping event logs, and more.http://technet.microsoft.com/en-us/sysinternals/
WmicWindows Management Instrumentation Command-lineBuilt-in command
PowershellWindows PowerShell command line and scriptingBuilt-in command
ShareEnumScan file shares on your network and view their security settings to close security holeshttp://technet.microsoft.com/en-us/sysinternals/
PsFileSee what files are opened remotely.http://technet.microsoft.com/en-us/sysinternals/
PsExecExecute processes remotely.http://technet.microsoft.com/en-us/sysinternals/
cygwinUnix-like environment and command-line interface for Microsoft Windowshttps://www.cygwin.com/
nbtstatDisplays protocol statistics and current TCP/IP connections using NBTBuilt-in command

3.3.4       Level 2 / Content Developer Tools

The L2 Analyst(s)/Content Developers shall be provided access to the following tools through the Research Lab.

Malware Analysis Tools – Network Analysis

NameDescription
Burp SuiteProxy Server
FlypaperA tool that captures malware binary code
ParosProxy Server
Netwitness InvestigatorIdentify and catch malware
YaraIdentify and classify malware
TcpdumpCommand-line packet analyser
WiresharkNetwork protocol analyzer for Unix and Windows
p0fPassive traffic fingerprinting mechanisms to identify the players behind any incidental TCP/IP communications
EttercapSuite for man in the middle attacks
TcpreplayIt permits to replay the traffic back onto the network and through other devices such as switches, routers, firewalls, NIDS and IPS
Socatrelay for bidirectional data transfer between two independent data channels
Arpingtool used to discover hosts on a computer network
Ngreppcap-aware tool that will allow you to specify extended regular expressions to match against data part of packets on the network

Malware Analysis Tools – Dynamic Analysis

NameDescription
CuckooMalware analysis system (sandbox)
GMERA tool that detects and removes rootkits
Immunity DebuggerDebugger
JD-GUIJava Decompiler
JS BeautifierJavaScript code beautifier and deobfuscator
MazillaJavaScript deobfuscator
OllydbgX86 debugger
peepdfInvestigate PDF files
Process ExplorerDisplays information about running processes.
Process HackerProcess viewer that allows for memory searches and process termination
Process MonitorShows real-time file system, Registry, and process/thread activity
RegshotTakes a snapshot of a computer’s registry and can compare two registry snapshots
WinappdbgDevelop debugging scripts

Malware Analysis Tools – Static Analysis

NameDescription
CFF ExplorerPE Editor
IDA ProInteractive binary disassembler
MD5Hash function that produces a 128-bit hash value
PDFiDScans PDF for malicious code.
SWFDumpDisassembles code contained in a SWF file

Unpacking Tools

NameDescription
PeidDetects most common packers, cryptors and compilers for PE files.
UPX UnpackerUnpacks UPX packed files

Memory Analysis

NameDescription
VolatilityExtracts digital artefacts from RAM

Forensic Tools (Freeware and Open Source)

Digital Evidence Acquisition
dd – called GNU dd, is the oldest imaging tool dc3dd – patched version of GNU dd with added features for computer forensics ddrescue – raw disk imaging tool that copies data from one file or block device to another, trying hard to rescue data in case of read errors. dcfldd – enhanced version of GNU dd
Media Management
libewf – library to access the Expert Witness Compression Format (EWF). It contains the following tools: , which writes storage media data from devices and files to EWF files., which writes data from stdin to EWF files.; experimental tool does nothing at the moment., which exports storage media data in EWF files to (split) RAW format or a specific version of EWF files., which shows the metadata in EWF files., which FUSE mounts EWF files.; special variant of ewfexport to create a new set of EWF files from a corrupt set., which verifies the storage media data in EWF files. The libewf package also contains the following bindings: afflib – Advanced Forensics Format (AFF) is an extensible open format for the storage of disk images and related forensic metadata
Mounting Disc Images
mount – Tool used to mount disks
Hasing Tools
md5deep – suite of cross platform tools to compute and audit hashes for any number of input files. It supports also SHA-1, Tiger and Whirpool.
Disk Analysis
The Sleuth Kit – collection of UNIX-based command line tools that allow you to investigate a computer. Some of the tools included are: blkcat, blkls, blkcalc, icat, ils, istat. log2timeline – provide a framework to parse various log files and artifacts found on suspect systems. The tool contains timescanner and glog2timeline.
Artefact Analysis
galleta and pasco – Internet Explorer Cookie Forensic Analysis Tool rifiuti – Recycle Bin Forensic Analysis Tool antiword – Application used to display text and graphics document in Microsoft Word exiftool – Perl library and a command-line tool that can be used for reading and writing metadata in files
Registry Analysis
recover_deleted_registry_keys.pl – recover unallocated keys and key slack from a registry hive regripper – extracting, correlating, and displaying specific information from Registry hive files from the Windows NT (2000, XP, 2003, Vista) family of operating systems
RAM Analysis
Pdgmail – gmail memory forensics Pdymail – yahoo memory forensics
Data Carving
Foremost – recovering deleted files and served as the basis for the more modern Scalpel Magicresuce – scans a block device for file types it knows how to recover and calls an external program to extract them testdisk – Primarily designed to help recover lost data storage partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software, certain types of viruses or human error (such as accidentally erasing a partition table) rapier – It is designed to acquire commonly requested information and samples during an information security event, incident, or investigation. scalpel – recovering deleted data originally based on foremost
Data Compression Tools
Rar – Tool usedto extract, open and compress rar files Bzip – Tool used to extract, open and compress bzip files p7zip – Port of 7za.exe for POSIX systems like Unix, MacOS X
PDF Analysis
pdfid.py – PDF forensics tool that will quickly provide you an overview of a PDF files potential threats pdfparser.py – It identifies the fundamental elements used in the analyzed file
GUI Forensic Analysis
Autopsy – Digital forensics platform and graphical interface to The Sleuth Kit and other digital forensics tools 
Password Cracker
john – Password cracker available also for Windows bkhive – dumps the syskey bootkey from Windows NT/2K/XP/Vista system hive samdump – dumps the Windows NT/2K/XP/Vista password hashes ophcrack – Ophcrack is a free Windows password cracker based on rainbow tables
Steganography
Outguess – steganographic tool that allows the insertion of hidden information into the redundant bits of data sources StegSecret – detection of hidden information in different digital media
Other Tools
Rdesktop – A Remote Desktop Protocol Client for accessing Windows Remote Desktop Services Sqlite – SQLite Database browser is a light GUI editor for SQLite databases, built on top of Qt dos2unix – utility to convert text files with DOS or MAC line breaks to Unix line breaks and vice versa

3.3.5       Tooling Engineer Tools / Platforms

Tooling Engineers will be provided access to the following tools and platforms:

3.3.6       Threat Analyst Tools / Platforms

Threat Analysts will be provided access to the following tools and platforms:

References

[1] https://portal.ema.kworld.kpmg.com/europe/HR/Recruitment/Lists/New%20Joiner%20Checklist/AllItems.aspx


 [K1]This may need to be verified.