A.20. Managing Personnel

Personnel management is a security concept that focuses on minimizing the vulnerabilities, threats, and risks that people themselves bring to an organization. Ultimately, people are the last line of defense for your company's assets. There are many mechanisms imposed to help improve personnel security, such as separation of duties, the principle of least privilege, acceptable use policies, job reviews, mandatory vacations, and even exit interviews.

You need to be aware of these controls and learn how to do your job within the boundaries that they dictate. Here are some important recommendations for management:

• Know exactly which privileges you are assigned.

• Don't attempt to exceed your assigned authority.

• Know which actions require multiple people to work together, and then attempt them only with the correct number of admins.

• If you discover that you have a privilege or capability that you should not have, report it.

• Never perform any activity that is unethical or illegal, even if not doing so will cost you the petty respect of your peers and/or your job.

• Watch out for conflicts of interest and make them known to the security administrator when they occur.

• The person who configures a system should not be the auditor.

• The person who designs a system should not be the tester.

• Only log on with your admin account when you actually need that level of access.

• Log on as a normal user account for your daily activities.

• Limit the use of admin accounts over the network; try to use them directly at the console/terminal to reduce the risk of eavesdropping.

Be aware of all of the policies that govern your behavior. Knowing what you are responsible for makes it much easier to comply. Ignorance is never a valid excuse when a violation occurs.