Resource On-boarding Process
The purpose of this document is to provide information about the activities and steps required to on-board new staff (new joiner) in the Global Security Operations Centre (GSOC). The document describes the steps to undertake, along with the resources necessary from the pre-joining (hiring phase) up to completion of on-boarding.
The scope covers the personnel resource on-boarding process within the KPMG Global SOC (GSOC).
The responsibility of ownership and ongoing management of this document, including the processes contained therein, rests with the GSOC Director.
The intended audience for this document is the Global SOC Team. The document may also be viewed by KPMG International and Member Firms management that are responsible for and/or have established interest in this area.
The following roles have responsibilities for respective components of this on-boarding process.
Please note that these are not comprehensive listing of responsibilities of each of the following roles, but only represent high level role specific responsibilities to support this process.
The HR team are ultimately responsible for hiring and sourcing for personnel to work in the GSOC. They will work with the GSOC Operations Manager to identify suitable candidates within and outside the firm to fill up available vacancies within the GSOC.
The HR team are typically involved with the external sourcing (hiring) of staff while the One Firm Resourcing team are involved with internal sourcing e.g. secondments of staff with required skill sets to fill up available vacancies.
2.6.2 GSOC Director
The GSOC Director will ensure that relevant processes are in place to enable effective on-boarding.
The GSOC Operations Manager will work with HR teams to identify suitable candidates to work within the GSOC, defining start date, assignment of Buddy as well as working with HR to design an induction schedule for the new joiner.
A Buddy is a member of staff within the GSOC that is assigned to the new joiner. This is to assimilate the person into the GSOC and KPMG, and ensure that the new joiner gets all the information to allow them to perform their day to day job.
A Buddy is expected to be someone who has been in the GSOC for 12 months. The exception to this is when the GSOC is under the build phase in which case another member of staff from the firm may be assigned as the buddy.
Access to KMPG Corporate Infrastructure is to be provided to all GSOC members.
GSOC resources will be provisioned to users in accordance with their roles and requirements.
This is the new member of staff joining the GSOC. They could be externally sourced via Human Resource team or internally sourced via the internal resourcing team. Internally sourced candidates could be on secondment (over a pre-defined period of time) or transferred fully to the GSOC function.
However, irrespective of how the joiner is sourced, this document defines the steps to on-board the new staff to the GSOC.
Figure 1: High level steps in the on-boarding process
The phases involved in the on-boarding process highlighted in the process flow diagram above are explained below.
The process of sourcing and hiring people into the GSOC will follow the existing KPMG HR hiring procedures and the Internal Resourcing team procedures for staff transfer or secondments as applicable.
The HR team and the GSOC Operations Manager will agree on staff start (joining) date and a suitable Buddy for the new Joiner.
The choice of Buddy will typically be influenced by the role and grade of the new joiner. As such, an ideal buddy shall be a staff with at least 12 months experience in KPMG.
The GSOC Operations Manager will create the induction schedule in collaboration with the Buddy to ensure that key personnel to provide shadowing are available during the time of on-boarding. They will also ensure that suitable workspace and tools that will be needed by the new joiner are made available.
3.2.2 General IT Induction
Every new joiner to KPMG is expected to undertake a General IT induction course on commencement where basic joining activities are highlighted as well as basic introduction to KPMG business and productive tools e.g. Timesheet, Expense, SAP ERP services, mail systems etc.
However, internally sourced personnel will not be required to go for this course as they have been through this process. However, an assessment would need to be carried out for international secondees to determine whether the induction is required.
The Buddy will book induction for the new joiner by contacting relevant contacts from the HR Onboarding Team and direct the new joiner when they report to the GSOC.
Upon completion of the induction, for external hires or on the day of reporting for internal hires, the new joiner will be introduced to the Buddy who will work with the new joiner to execute the rest of the on-boarding tasks.
Upon commencement (and completion of the General IT induction if externally sourced), the Buddy will introduce the new joiner to the existing GSOC members of staff and other key stakeholders. This is aimed at setting the tone for fostering good working relationships between the new joiner and the rest of the team.
At a time fitting, all new joiners will be introduced to the Global CISO.
After the introduction and other formalities, the Buddy shows the new staff his desk and guides him through executing the general on-boarding activities in accordance with requirements specified in .
The actual training needed to be completed by the new joiner will be mandated by HR. However, the GSOC may mandate new joiners to undergo training specific to the GSOC. This shall be done in accordance with the Training Catalogue and Skills Matrix.
Also, as part of the general on-boarding activities, the Buddy shall take the new joiner on a tour of the office during his first day at work.
A full listing of on-boarding activities are provided in the “On-Boarding Guide/Checklist”. This document is a living document and shall be updated regularly in line with new business requirements.
The GSOC Operations Manager shall co-ordinate a GSOC induction program for new joiners. This will provide an overview of the functions, organisational structure and operations of the GSOC as well as key processes, procedures and governing policies.
This phase involves assigning the new joiner to an existing GSOC staff for shadowing (understudy). This shadowing process will be in phases which start with an initial 100% monitoring up to 50% monitored understudy. This shadowing schedule and its timeline will be determined by the Buddy in consultation with the GSOC Operations Manager and may vary per individual/role as well as the urgency. The following table indicates the timelines for how shadowing will change per role.
|L1 Analyst||100%||2 week(s)|
|L2 Analyst||100%||1 week(s)|
|Content Developer||100%||0 week(s)|
|Threat Analyst||100%||0 week(s)|
|Tooling Engineer||100%||1 week(s)|
Upon providing confidence that the individual has an adequate level of knowledge to carry out the tasks, the shadowing will be reduced to indicate the level of capability of the individual.
However, if unsatisfactory, the new joiner will return to the shadowing phase. The Buddy will provide feedback on specific areas of weaknesses to guide the new joiner.
This stage is conducted by the GSOC Operations Manager and an experienced personnel in a similar role to that of the new joiner.
Here the joiner is evaluated on their ability to demonstrate requisite skill in handling scenarios presented before them by the team.
Where a new joiner repeatedly fails to demonstrate the capabilities required to successfully fulfil their role, the GSOC will initiate performance review through the individual’s performance manager.
At this point, the new joiner is believed to have settled into their role and can work independently in executing their role requirements.
The on-boarding process is deemed completed.
Provisioning of the user involves the creation of access rights to information assets/resources as well as asset assignment.
As a guiding principle, access rights shall be provided on a need-to-know basis.
User provisioning will be implemented as a two tiered process that involves access to General KPMG Resources and access to GSOC Specific Resources. This is discussed further below.
Access to General KPMG resources will be handled by the IT Engineers and Security Department (Central Services) upon the advice of the Human Resources team and the GSOC Manager. This will include access to work spaces (ID card and PIN codes, where applicable), enterprise network (including work station setup), creation of email address for the new joiner (for externally sourced) and addition to applicable distribution lists, group mail boxes and shared resources.
Access to the GSOC specific resources will be handled by the GSOC Tooling Engineer. The tooling engineer will be responsible for platform provisioning, user creation/addition on the GSOC specific solutions as well as role assignment.
No single role of person can request and authorise access to any GSOC resources.
This will be done based on approvals by the appropriate management.
3.3.3 Level 1 Tools / Platforms
The L1 Analyst(s) will be provided access to the following tools through the Research Lab.
Linux Free and Open Source Tools
|alias||Alias for commands||Built-in command|
|awk||Pattern scanning and text processing language||Built-in command|
|base64||Base64 encode/decode data and print to standard output||Built-in command|
|cat||Concatenate files and print on the standard output||Built-in command|
|Cd||Change directory||Built-in command|
|curl||Transfer URL||Built-in command|
|Dd||Convert and copy a file||Built-in command|
|Diff||Compare files line by line||Built-in command|
|Dig||DNS lookup utility||Built-in command|
|dos2unix||DOS/Mac to Unix and vice versa text file format converter||Built-in command|
|egrep||print lines matching a pattern||Built-in command|
|file||Determine file type||Built-in command|
|find||Search for files in a directory hierarchy||Built-in command|
|grep||Print lines matching a pattern||Built-in command|
|gzip||Compress or expand files||Built-in command|
|host||DNS lookup utility||Built-in command|
|ls||List directory contents||Built-in command|
|lynx||CLI Browser||Built-in command|
|md5sum||Compute and check MD5 message digest||Built-in command|
|mount||Mount a filesystem||Built-in command|
|nano||Nano’s ANOther editor, an enhanced free Pico clone||Built-in command|
|nc||Network swiss army tool||Built-in command|
|perl||Perl language interpreter||Built-in language|
|ping||Send ICMP ECHO_REQUEST to network hosts||Built-in command|
|ps||Report a snapshot of the current processes||Built-in command|
|python||An interpreted, interactive, OO programming language||Built-in language|
|rdesktop||Remote Desktop Protocol Client||Built-in command|
|rm||Remove files or directories||Built-in command|
|scp||Secure copy (remote file copy command)||Built-in command|
|sed||Stream editor for filtering and transforming text||Built-in command|
|sha1sum||Compute and check SHA1 message digest||Built-in command|
|sort||Sort lines of text files||Built-in command|
|split||Split a file into pieces||Built-in command|
|ssh||OpenSSH SSH client (remote login program)||Built-in command|
|tail||Output the last part of files||Built-in command|
|tar||Unpacking an archive||Built-in command|
|telnet||User interface to the TELNET protocol||Built-in command|
|touch||Change file timestamps||Built-in command|
|uniq||Report or omit repeated lines||Built-in command|
|upx||Compress or expand executable files||Built-in command|
|vim||Vi IMproved, a programmers text editor||Built-in command|
|watch||Execute a program periodically, showing output fullscreen||Built-in command|
|wget||The non-interactive network downloader.||Built-in command|
|whois||Searches for an object in a RFC 3912 database.||Built-in command|
|zip||Package and compress (archive) files||Built-in command|
|Tasklist||TaskList displays all running applications and services with their Process ID.||Built-in command|
|Systeminfo||Displays detailed configuration information about a computer and its operating system, including operating system configuration, security information, product ID, and hardware properties, such as RAM, disk space, and network cards.||Built-in command|
|Windows ‘Net’ commands||Used to manage networks and other functions: [ ACCOUNTS | COMPUTER | CONFIG | CONTINUE | FILE | GROUP | HELP | HELPMSG | LOCALGROUP | PAUSE | SESSION | SHARE | START | STATISTICS | STOP | TIME | USE | USER | VIEW ]||Built-in command|
|Pstools||The PsTools suite includes command-line utilities for listing the processes running on local or remote computers, running processes remotely, rebooting computers, dumping event logs, and more.||http://technet.microsoft.com/en-us/sysinternals/|
|Wmic||Windows Management Instrumentation Command-line||Built-in command|
|Powershell||Windows PowerShell command line and scripting||Built-in command|
|ShareEnum||Scan file shares on your network and view their security settings to close security holes||http://technet.microsoft.com/en-us/sysinternals/|
|PsFile||See what files are opened remotely.||http://technet.microsoft.com/en-us/sysinternals/|
|PsExec||Execute processes remotely.||http://technet.microsoft.com/en-us/sysinternals/|
|cygwin||Unix-like environment and command-line interface for Microsoft Windows||https://www.cygwin.com/|
|nbtstat||Displays protocol statistics and current TCP/IP connections using NBT||Built-in command|
The L2 Analyst(s)/Content Developers shall be provided access to the following tools through the Research Lab.
Malware Analysis Tools – Network Analysis
|Burp Suite||Proxy Server|
|Flypaper||A tool that captures malware binary code|
|Netwitness Investigator||Identify and catch malware|
|Yara||Identify and classify malware|
|Tcpdump||Command-line packet analyser|
|Wireshark||Network protocol analyzer for Unix and Windows|
|p0f||Passive traffic fingerprinting mechanisms to identify the players behind any incidental TCP/IP communications|
|Ettercap||Suite for man in the middle attacks|
|Tcpreplay||It permits to replay the traffic back onto the network and through other devices such as switches, routers, firewalls, NIDS and IPS|
|Socat||relay for bidirectional data transfer between two independent data channels|
|Arping||tool used to discover hosts on a computer network|
|Ngrep||pcap-aware tool that will allow you to specify extended regular expressions to match against data part of packets on the network|
Malware Analysis Tools – Dynamic Analysis
|Cuckoo||Malware analysis system (sandbox)|
|GMER||A tool that detects and removes rootkits|
|peepdf||Investigate PDF files|
|Process Explorer||Displays information about running processes.|
|Process Hacker||Process viewer that allows for memory searches and process termination|
|Process Monitor||Shows real-time file system, Registry, and process/thread activity|
|Regshot||Takes a snapshot of a computer’s registry and can compare two registry snapshots|
|Winappdbg||Develop debugging scripts|
Malware Analysis Tools – Static Analysis
|CFF Explorer||PE Editor|
|IDA Pro||Interactive binary disassembler|
|MD5||Hash function that produces a 128-bit hash value|
|PDFiD||Scans PDF for malicious code.|
|SWFDump||Disassembles code contained in a SWF file|
|Peid||Detects most common packers, cryptors and compilers for PE files.|
|UPX Unpacker||Unpacks UPX packed files|
|Volatility||Extracts digital artefacts from RAM|
Forensic Tools (Freeware and Open Source)
|Digital Evidence Acquisition|
|dd – called GNU dd, is the oldest imaging tool dc3dd – patched version of GNU dd with added features for computer forensics ddrescue – raw disk imaging tool that copies data from one file or block device to another, trying hard to rescue data in case of read errors. dcfldd – enhanced version of GNU dd|
|libewf – library to access the Expert Witness Compression Format (EWF). It contains the following tools: , which writes storage media data from devices and files to EWF files., which writes data from stdin to EWF files.; experimental tool does nothing at the moment., which exports storage media data in EWF files to (split) RAW format or a specific version of EWF files., which shows the metadata in EWF files., which FUSE mounts EWF files.; special variant of ewfexport to create a new set of EWF files from a corrupt set., which verifies the storage media data in EWF files. The libewf package also contains the following bindings: afflib – Advanced Forensics Format (AFF) is an extensible open format for the storage of disk images and related forensic metadata|
|Mounting Disc Images|
|mount – Tool used to mount disks|
|md5deep – suite of cross platform tools to compute and audit hashes for any number of input files. It supports also SHA-1, Tiger and Whirpool.|
|The Sleuth Kit – collection of UNIX-based command line tools that allow you to investigate a computer. Some of the tools included are: blkcat, blkls, blkcalc, icat, ils, istat. log2timeline – provide a framework to parse various log files and artifacts found on suspect systems. The tool contains timescanner and glog2timeline.|
|galleta and pasco – Internet Explorer Cookie Forensic Analysis Tool rifiuti – Recycle Bin Forensic Analysis Tool antiword – Application used to display text and graphics document in Microsoft Word exiftool – Perl library and a command-line tool that can be used for reading and writing metadata in files|
|recover_deleted_registry_keys.pl – recover unallocated keys and key slack from a registry hive regripper – extracting, correlating, and displaying specific information from Registry hive files from the Windows NT (2000, XP, 2003, Vista) family of operating systems|
|Pdgmail – gmail memory forensics Pdymail – yahoo memory forensics|
|Foremost – recovering deleted files and served as the basis for the more modern Scalpel Magicresuce – scans a block device for file types it knows how to recover and calls an external program to extract them testdisk – Primarily designed to help recover lost data storage partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software, certain types of viruses or human error (such as accidentally erasing a partition table) rapier – It is designed to acquire commonly requested information and samples during an information security event, incident, or investigation. scalpel – recovering deleted data originally based on foremost|
|Data Compression Tools|
|Rar – Tool usedto extract, open and compress rar files Bzip – Tool used to extract, open and compress bzip files p7zip – Port of 7za.exe for POSIX systems like Unix, MacOS X|
|pdfid.py – PDF forensics tool that will quickly provide you an overview of a PDF files potential threats pdf‐parser.py – It identifies the fundamental elements used in the analyzed file|
|GUI Forensic Analysis|
|Autopsy – Digital forensics platform and graphical interface to The Sleuth Kit and other digital forensics tools|
|john – Password cracker available also for Windows bkhive – dumps the syskey bootkey from Windows NT/2K/XP/Vista system hive samdump – dumps the Windows NT/2K/XP/Vista password hashes ophcrack – Ophcrack is a free Windows password cracker based on rainbow tables|
|Outguess – steganographic tool that allows the insertion of hidden information into the redundant bits of data sources StegSecret – detection of hidden information in different digital media|
|Rdesktop – A Remote Desktop Protocol Client for accessing Windows Remote Desktop Services Sqlite – SQLite Database browser is a light GUI editor for SQLite databases, built on top of Qt dos2unix – utility to convert text files with DOS or MAC line breaks to Unix line breaks and vice versa|
Tooling Engineers will be provided access to the following tools and platforms:
Threat Analysts will be provided access to the following tools and platforms:
[K1]This may need to be verified.