Contents
2.8.1 Personnel Security
Your security programs should be built upon a solid policy foundation. Personnel security programs should be built upon educating employees about these policies and their individual roles in protecting the enterprise.
As part of this program you should have explicit procedures that describe how you will handle violations to the security policy. This could involve management, cybersecurity teams, and HR. You should never approach someone about a possible policy violation without consulting management.
What use of personal resources is acceptable on corporate networks with corporate data?
In your policies you will need to identify if the following can be used in the corporate network:
- Personal computers
- Personal email accounts
- Personal cloud services
- Personal mobile devices
If you allow these devices or services, you should have proper procedures in place for vetting these and ensuring they comply with your policies.
Staff Training
This is the best form of defense against attacks like Social Engineering attacks. Some topics to include in staff training are:
- Different types of cybersecurity threats
- Importance of password security
- The protection of company data
- How to detect and report threats
Insider Threat Defense
25% of all cybersecurity attacks are from insiders. To avoid Insider threats:
- Run background investigations in new staff
- Monitor sensitive resources and what’s happening on the network
- Provide managers with training to help identify disgruntled employees
- Apply Data Loss Prevention (DLP) technologies
2.8.2 Security in the hiring Process
Employees often have privileged access to all kinds of sensitive information. Organisations have a responsibility to ensure that security plays an important role in the hiring process. Spending a little extra time on security before hiring an employee can help avoid costly mistakes.
Pre Employment Screening
- Check for criminal record or on sex offenders list
- Check which countries they worked in and what state
- Verify that educational and employment experience is accurate
- Some organisations do credit checks
You must have the persons written consent for obtaining and using this information.
Employee Agreements
Organisations use employee agreements that spell out the employees responsibilities in different areas. This may include security related responsibilities. This should include:
- NDAs (Nondisclosure Agreements) where the employee agrees not to disclose any confidential information while at the organisation or even after they leave the organisation
- Asset return agreements- where the employee agrees to return all the organisations property at the end of employment
Employers can use the hiring and orientation process as an opportunity to familiarise them with security policies.
2.8.3 Employee Termination Process
The process of employees leaving the organisation should be as pleasant as possible. One strategy that can be used is an exit interview. These are used to gather information about the employee’s experience at the company and wish them well in the future. It is also a useful to gently remind the employee about the their responsibilities under the nondisclosure agreement.
Revoke Access
In the case of voluntary separation the employees access is revoked on the last day.
In the case of involuntary separation it is different. If they are being terminated immediately the possibility of a revenge attack becomes higher. In this case you should revoke their access as soon as they are notified. If you revoke it too early they will be aware that something is going on.
Retrieve Organisation Property
- Keys
- Access badges
- Laptops and mobile devices
- Paper and electronic files
2.8.4 Employee Privacy
Organisations gather lots of information about employees, most of which the employee would like to keep private.
Sensitive Personal Information
- Background checks
- Social Security numbers
- Salary and payroll info
- Health and benefit records
Protecting Information
Organisations have a legal and ethical responsibility to protect personal information.
- Principal of Minimisation: organisations should only collect the information they need and they should only store that information for as long as it is necessary for a valid business reason
- Limit access to this information: access to sensitive information should only be for those with a valid need to know
- Encryption: encrypting data prevents the records from being accessed outside normal channels, I.e.: if a laptop is lost or stolen or if someone gains access to unlawful access to a system
- Masking data: this allows data to be used without exposing sensitive records. EG: you could replace digits in a social security number with XXX’s
2.8.5 Social Network Security
Social Networking accounts often get hacked through either weak passwords or social engineering attacks where the attacker tricks a user to grant them access to the account.
Use multifactor authentication to preventing account hijacking
If using Social media management tools you should review the security of these tools
You should implement a Social Networking policy to ensure employees use Social networking sites appropriately.
2.8.6 Personnel Safety
Employers should always place employee safety above everything else.
EXAM TIP: if you see a question involving employee safety, this is always the top priority
Isolated Staff
Staff working alone, such as overnight staff or in isolated areas, should always be monitored for safety.
Duress Monitoring
- Panic buttons – these silently alert security personnel to a dangerous situation when pressed
- Duress Codes – these can be word codes that could be used to alert someone without alerting the attacker. Or an alarm code that can be entered that won’t sound the alarm but will alert security staff.
Employees Travelling
Employees who are traveling to unusual or dangerous locations should be monitored. There are governments sites which contain information about the different dangers/warnings of travelling to certain countries.
