Crime is a human issue, not merely a technological one. True, technology can reduce the incidence of computer crimes, but the fundamental problem is that people can be tempted to take advantage of flaws in our information systems. The most spectacular biometric access control in the world will not stop someone from getting into the computer room if the janitor believes it is “just to pick up a listing.”

People are the key to effective information security, and disaffected employees and angry ex-employees are important threats according to many current studies. For example, the 2007 CSI Computer Crime and Security Survey, published by the Computer Security Institute, reported on responses from 494 participants in a wide range of industries, nonprofits and government agencies; the authors stated:

Insider abuse of network access or e-mail (such as trafficking in pornography or pirated software) edged out virus incidents as the most prevalent security problem, with 59 and 52 percent of respondents reporting each respectively.¹

The same report indicated that about 64 percent of the respondents believed that insiders accounted for at least some of their cybercrime losses:

27 percent agreed with estimates of “up to 20 percent”
11 percent estimated 21 to 40 percent
11 percent estimated 41 to 60 percent
10 percent estimated 61 to 80 percent
5 percent estimated 81 to 100 percent

Finally, the CSI reported that “respondents indicated a jump in insider abuse of network resources from 42 to 59 percent.”

This chapter presents principles for integrating human resources (HR) management and information security into corporate culture.²

45.2 HIRING.

The quality of employees is the foundation of success for all enterprises; it is also the basis for effective information security.

45.2.1 Checking Candidate's Background.

Hiring new employees poses a particular problem; growing evidence suggests that many people inflate their résumés with unfounded claims. According to Edward Andler, author of The Complete Reference Checking Handbook, “cheating on résumés has become distressingly common. And many people are getting by with it, which appears to be making others follow suit.” His research shows that up to 10 percent “seriously misrepresent” their background or work histories. A research project run by the Port Authority of New York and New Jersey used an advertisement asking for electricians who were expert at using “Sontag Connectors.” They received 170 responses claiming such expertise, even though there was no such device.³

Reviewers should be especially careful of vague words such as “monitored,” and “initiated.” During interviews or background checking, HR staff should find out what the candidate did in specific detail, if possible. All references should be followed up, at least to verify that the candidates really worked where the résumé claims they did.

Unfortunately, there is a civil liberties problem when considering someone's criminal record. Once people have suffered the legally mandated punishment for a crime, whether fines, community service, or imprisonment, discriminating against them in hiring may be a violation of their civil rights. Can one exclude convicted felons from any job openings? From job openings similar to areas in which they abused their former employers' trust? Are employers permitted in law to require that prospective employees approve background checks? Can one legally require polygraph tests? Drug tests? Personality tests?

In some jurisdictions, “negligent hiring” that results in harm to third parties is being punished in civil litigation. Imagine, for example, that a firm were to hire an active criminal hacker as a system administrator without adequate background checking and interviews; if the hacker were then to use his position and corporate resources to break into or sabotage another organization's systems, it is reasonable to suppose that the victim could claim damages from the criminal's employer on the basis of negligent hiring. In addition, “negligent retention” could hold an employer liable when an employee, who may pose a risk to coworkers or the public, is not terminated immediately.

Employers should consult their corporate legal staffs to ensure that they know, and exercise, their rights and obligations in the specific legal context of their work.

Even checking references from previous employers is fraught with uncertainty. Employers may hesitate to give bad references for incompetent or unethical employees for fear of lawsuits if their comments become known, or if the employee fails to get a new job. Today, one cannot rely on getting an answer to the simple question “Would you rehire this employee?”

Ex-employers must also be careful not to inflate their evaluation of an ex-employee. Sterling praise for a scoundrel could lead to a lawsuit from the disgruntled new employer.

For these reasons, a growing number of employers have corporate policies that forbid discussing a former employee's performance in any way, positive or negative. All one gets from a contact in such cases is “Your candidate did work as an Engineer Class 3 from 1991 to 1992. I am forbidden to provide any further information.”

It is commonplace in the security field that some people who have successfully committed crimes have been rewarded by a “golden handshake” (a special payment in return for leaving) and sometimes even with positive references. The criminals can then move on to victimize a new employer. However, no one knows how often this takes place.

To work around such distortions, interviewers should question candidates closely about details of their education and work experience. The answers can then be checked for internal consistency and compared with the candidate's written submissions. Liars hate details: It is so much harder to remember which lie to repeat to which person than it is to tell the truth.

There are commercial services specializing in background checking (e.g., www.virtualhrscreening.com). They provide the necessary forms to allow employers to query credit records and other background information www.virtualhrscreening.com/forms.htm). Companies such as Kroll and Securitas Security Services also conduct extensive background checks.

Another way to conduct an employee background check can be done for free, via powerful search engines, such as Google. By entering someone's name into one of these search engines, there is a good possibility that some aspect of the applicant's life will be retrieved. Of particular interest might be a search of messages from a particular blog to see what information is being disseminated.

Experienced employees should interview the candidate and compare notes in meetings to spot inconsistencies. A director of technical support at a large computer service bureau questioned a new employee who claimed to have worked on a particular platform for several years—but did not know how to log on. Had he chatted with any of the programmers on staff before being hired, his deception would have been discovered quickly enough. Ironically, had he told the truth, he might have been hired anyway.

45.2.2 Employment Agreements.

Before allowing new employees to start work, they should sign an employment agreement stipulating that they will not disclose confidential information or trade secrets of their previous employers. Another clause must state that they understand that the new employer is explicitly not requesting access to information misappropriated from their previous employer, or from any other source. The Uniform Trade Secrets Act, which is enforced in many jurisdictions in the United States, provides penalties that are up to triple the demonstrated financial damages, plus attorney's fees, caused by such data leakage. One high-profile case involved three employees who were found guilty of stealing and trying to sell Coca-Cola secrets to its rival Pepsi.⁴

45.3 MANAGEMENT.

Security is the result of corporate culture; therefore, management practices are critically important for successful information protection. External attacks through Internet connections, and damage from malicious software, are certainly important threats; nonetheless, insider damage due to errors and omissions as well as through dishonesty or a desire for revenge are still major problems for information security.⁵ These problems are compounded when there are collaborative threats involving insiders working with those outside the enterprise.

45.3.1 Identify Opportunities for Abuse.

Security managers do not have to be paranoid, they just have to act as if they are paranoid. Managers must treat people with scrupulously fair attention to written policies and procedures. Selective or capricious enforcement of procedures may constitute harassment. If some individuals are permitted to be alone in the printer room as salary checks are printed, while other employees of equivalent rank must be accompanied, the latter can justifiably interpret the inconsistency as an implicit indication of distrust. Such treatment may move certain employees to initiate grievances and civil lawsuits, to lay complaints under criminal statutes for discrimination, or even to commit vengeful acts.

45.3.2 Access Is Neither a Privilege Nor a Right.

When management removes access rights to the network server room from a system analyst who has no reason to enter that area, the response may be resentment, sulking, and abuse. People sometimes treat access controls as status symbols; why else would a CEO who has no technical training demand that his access code include the tape library and the wiring closet? Managers can overcome these psychological barriers to better security by introducing a different way of looking at vulnerabilities and access. After identifying an opportunity for a particular employee to use the system in unauthorized ways, one should turn the discussion into a question of protecting the person who has unnecessary access against undue suspicion. For example, an employee having more access to secured files than is required is put at risk. If anything ever did go wrong with the secured files, that employee would be a suspect. There is no need to frame the problem in terms of suspicion and distrust.

With these principles in mind, managers should be alert to such dangers as permitting an employee to remain alone in a sensitive area, allowing unsupervised access to unencrypted backups, or having only one programmer who knows anything about the internals of the accounting package.

As for language, it would be better to stop referring to access privileges. The very word connotes superiority and status—the last things management should imply. Access is a function and a responsibility, not a privilege or a right; it should be referred to simply as access functions or access authorizations.

45.3.3 The Indispensable Employee.

In many areas of information processing, redundancy is generally viewed as either a bad thing or an unavoidable but regrettable cost paid for specific advantages. For example, in a database, indexing may require identical fields (items, columns) to be placed in separate files (data sets, tables) for links (views, joins) to be established. However, in managing personnel for better security, redundancy is a requirement. Without shared knowledge, and our organization is at constant risk of a breach of availability.

Redundancy in this context means having more than one person who can accomplish a given task. Another way of looking at it is that no knowledge should belong to only one person in an organization. Putting the keys to the kingdom in the hands of one employee invites disaster.

Unique resources always put systems at risk; that is why companies such as Tandem, Stratus, and others have so successfully provided redundant and fault-tolerant computer systems for critical task functions, such as stock exchanges and banking networks. These computer systems and networks have twin processors, channels, memory arrays, disk drives, and controllers. Similarly, a fault-tolerant organization will invest in cross-training of all its personnel. Every task should have at least one other person who knows how to do it—even if less well than the primary resource. This principle does not imply that managers have to create clones of all their employees; it is in fact preferable to have several people who can accomplish various parts of any one person's job. Spreading knowledge throughout the organization makes it possible to reduce the damage caused by absence or unavailability of key people.

It is dangerous to allow a single employee to be the only person who knows about a critical function in the enterprise. Operations will suffer if the key person is away, and the enterprise will certainly suffer if this unique resource person decides to behave in unauthorized and harmful ways. Managers should ask themselves if there is anyone in their department whose absence they dread. Are there any critical yet undocumented procedures for which everyone has to ask a particular person?

A client in a data center operations management class volunteered the following story. There was a programming wizard responsible for maintaining a key production program; unfortunately, he had poor communication skills and preferred to solve problems himself rather than to train and involve his colleagues. “It'll be faster for me to do it myself,” he used to say. During one of his rare vacations, something went wrong with “his” production program, shutting down the company's operations. The wizard was in the north woods, out of reach of all communications; the disaster lasted until he returned.

Not only does the organization suffer, but also the indispensable persons suffer from the imbalance of knowledge and skill when no one else knows what they know. Some indispensable employees are dedicated to the welfare of their employer and of their colleagues. They may hesitate to take holidays. If their skills are needed from hour to hour, it becomes more difficult for them to participate in committee meetings. These are the people who wear beepers and cannot sit undisturbed even in a two-hour class. If the indispensable employees' skills affect day-to-day operations, they may find it hard to go to off-site training courses, conferences, and conventions. Despite their suitability for promotion, indispensable people may be delayed in their career change because the organization finds it difficult or expensive to train their replacements. In extreme cases, newly promoted managers may find themselves continuing to perform specialized duties that ought to be done by their staff. Sometimes even a VP of Operations is the only person who can make changes to a production system that should be performed by a programmer three or four levels down.

A particular kind of indispensability occurs when an employee becomes the de facto technical support resource for a particular software package or system. Without authorization from their managers, these employees can find themselves in difficulty. They may be fired because their productivity drops too low according to their job descriptions, which do not include providing undocumented technical support to other people. They may burn out and quit because of overwork and criticism. Or they may cause resentment among their colleagues and neighbors by declining to help them, or by complaining about overwork. Alternatively, they may enjoy the situation, and manage to meet all the demands on their time quite successfully, until others in the information technology department begin to feel threatened, and someone either complains to the higher-ups or begins spreading nasty comments about these unauthorized support technicians.

Looking at this situation from a management point of view, there are problems for the recipients of all this free aid. The longer they persist in getting apparently free help from their unofficial benefactor, the longer they can avoid letting upper management know they need help. Then when the bubble bursts and the expert becomes unavailable, managers are confronted with a sudden demand for unplanned resources. In most organizations, unexpected staffing requirements are difficult to satisfy. Managers have a hard time explaining how it is that they were unable to predict the need and to budget for it.

Sometimes persons continue to be indispensable because of fear that their value to their employers resides in their private knowledge. Such employees resent training others. The best way to change their counterproductive attitude is to set a good example; managers should share knowledge with them and with everyone else in their group. Education should be a normal part of the way everyone in the enterprise works. Managers can encourage cross-training by allocating time for it. Cross-training can be a factor in employee evaluations. Current topics from the trade press and academic journals, for example, can be discussed in a journal club, or at informal, scheduled meetings, where people take turns presenting the findings from recent research in areas of interest.

Reluctance to explain their jobs to someone else may also mask unauthorized or illegal activity. Take, for example, the case of Lloyd Benjamin Lewis, assistant operations officer at Wells Fargo Bank in Beverly Hills, California. He arranged with a confederate outside the bank to cash fraudulent checks for up to $250,000 each on selected legitimate accounts at Lewis's branch. Using a secret code stolen from another branch, Lewis would scrupulously encode a credit for the exact amount of the theft, thus giving the illusion of correcting a transaction error. Lewis stole $21.3 million from his employer between September 1978 and January 1981, when he was caught by accident. For unknown reasons, a computer program flagged one of his fraudulent transactions so that another employee was notified of an irregularity. It did not take long to discover the fraud, and Lewis was convicted of embezzlement. He was sentenced to five years in a federal prison.⁶

Because Lewis was obliged to be physically present to trap the fraudulent checks as they came through the system, he could not afford to have anyone with him watching what he did. Lewis would have been less than enthusiastic about having to train a backup to do his job. If anyone had been cross-trained, the embezzlement would probably not have continued so long, or have become so serious.

45.3.4 Career Advancement.

In a topic related to avoiding indispensability, managers can improve the security climate through accepted principles of good human resources management, such as career advancement for all employees. By promoting individuals to new responsibilities, managers can also increase the number of people with expertise in critical functions. As managers carry out their regular employee performance reviews, they should include discussions of each person's career goals. Here, based on a summary by employment expert Lee Kushner, are some practical questions to discuss with employees as part of their interviews.⁷

What are your long-term plans?
What are your strengths and weaknesses?
What skills do you need to develop?
Have you acquired a new skill in the past year?
What are your most significant career accomplishments, and will you soon achieve another one?
Have you been promoted over the past three years?
What investments have you made in your own career?
Are you being impatient?

When managers support individuals' interests and aspirations, they foster a climate of respect and appreciation and concurrently support positive feelings about the organization.

45.3.5 Vacation Time.

In the example presented in Section 45.3.3, Lloyd Benjamin Lewis took his unauthorized duties (stealing money from his bank) so seriously that during the entire period of his embezzlement, about 850 days, he was never late, never absent, and never took a single vacation day in over two years. Any data center manager should have been quite alarmed at having an employee who had failed to be absent or late a single day in more than two years. The usual rule in companies is that unused vacation days can be carried over for only a limited time, and then they expire. This is intended to be an incentive to take vacation time; for normal, honest employees, it probably works fine. For dishonest employees who have to be present to control a scam, losing vacation days is intolerable.

Every employee should be required to take scheduled vacations within a definite—and short—time limit. No exceptions should be permitted. Excessive resistance to taking vacations should be investigated to find out why the employee insists on being at work all the time.

Unfortunately, this suspicious attitude toward perfect attendance causes problems for the devoted, dedicated, and honest employee. An innocent person can get caught up in a web of suspicion precisely because of exceptional commitment. One may be able to avoid difficulties of this kind by: (1) making the reasons for the policy well known to all employees so no one feels singled out; (2) relying on the judgment, discretion, and goodwill of the investigating manager to avoid hurt feelings in their most loyal employees; and (3) switching such an employee's functions temporarily to see if anything breaks.

45.3.6 Responding to Changes in Behavior.

Any kind of unusual behavior can pique the curiosity of a manager. Even more important from a security management standpoint, any consistent change in behavior should stimulate interest. Is a normally punctual person suddenly late, day after day? Did an employee start showing up regularly in hand-tailored suits? Why is a usually charming person snarling obscenities at subordinates these days? What accounts for someone's suddenly working overtime every day, in the absence of any known special project? Is a competent person now producing obvious errors in simple reports? How is it that a formerly complacent staffer is now a demanding and bitter complainer?

With so much of the enterprise's financial affairs controlled by information systems, it is not surprising that sudden wealth may be a clue that someone is committing a computer crime. A participant in an information systems security course reported that an accounting clerk at a government agency in Washington, DC, was arrested for massive embezzlement. The tip-off? He arrived at work one day in a Porsche sports car and boasted of the expensive real estate he was buying in a wealthy area of the capital region—all completely beyond any reasonable estimate of his income.

Not all thieves are that stupid. A healthy curiosity is perfectly justified if you see an employee sporting unusually expensive clothes, driving a sleek car after years with a rust bucket, and chatting pleasantly about the latest trip to Acapulco when that person's salary does not appear to explain such expenditures. Unsolicited inquiries into people's private lives, however, will usually win no friends. There is a delicate line to walk, but ignoring the issue does not make it disappear.

The other kind of change—toward the negative—also may indicate trouble. Why is the system manager looking both dejected and threadbare these days? Is he in the throes of a personal debt crisis? In the grip of a blackmailer? Beset with a family medical emergency? A compulsive gambler on a losing streak? On humane grounds alone, one would want to know what is up in order to help; however, a manager concerned with security would be compelled to investigate. In these days of explosive rage, and ready access to weapons, ignoring employees with a dark cloud hovering over their heads may be irresponsible and dangerous.

Any radical change in personality should elicit concern. If the normally relaxed head accountant now has beads of sweat on her forehead whenever you discuss the audit trails, perhaps it is time to look into her work more closely. Why does a good family man begin returning from long lunches with whiskey on his breath? A formerly grim manager now waltzes through the office with a perpetual smile on his face. What happened? Or what is happening?

All of these changes should alert managers to the possibility of changes in the lives of their employees. Although these changes do indeed affect the security of an organization, they also concern managers as human beings who can help other human beings. Mood swings, irritability, depression, euphoria—these can be signs of psychological stress. Is an employee becoming alcoholic? A drug addict? Abused at home? Going through financial difficulties? Having trouble with teenagers? Falling in love with a colleague? Of course managers cannot help everyone, and in some cases, help should involve qualified mental health professionals; but at least everyone can express concern and support in a sensitive and gentle way. Such discussions should take place in private, and without alarming the subject or exciting other employees. At any time, a manager should feel free to involve the HR or personnel department. They will either have a psychologist or trained counselor on staff or be able to provide appropriate help in some other way, such as an employee crisis line.

There are sad cases in which employees have shown signs of stress but have been ignored, with disastrous consequences: suicides, murders, theft, and sabotage. Be alert to the indicators and take action quickly.

Australian human resources expert Laura Stack offers this analysis of signs of extreme stress:

People don't normally all of a sudden flip out; they give off early warning signals. Luckily, managers can observe signs of stress in employee behaviour, beginning with milder signs and culminating in desk rage. Be observant for the following stress stages:

Physical stage: Headaches, illness, fatigue.

Social stage: Negativity, blaming things on others, missed deadlines, working through lunch.

Cerebral stage: Clock-watching, errors in assignments, minor accidents, absentmindedness and indecisiveness.

Emotional stage: Anger, sadness, crying, yelling, feelings of being overwhelmed, depression.

Spiritual stage: Brooding, crying, wanting to make drastic changes in life, not relating well with people, distancing themselves from personal relationships.⁸

The manager's job in probing behavioral changes is difficult; one must walk the thin and possibly invisible line between laissez-faire uninvolvement, risking lifelong regrets or even prosecution for dereliction of duty, and overt interference in the private affairs of the staff, risking embarrassment and possible prosecution for harassment.

Written policies will help; so will a strong and ongoing working relationship with the HR staff. Making it clear to all employees that managers are available for support, but are also expected to investigate unusual behavior, will also help avoid misunderstandings.

45.3.7 Separation of Duties.

The same principles that apply to the control of money should apply to control of data. Tellers at a bank, when someone deposits a large check, will always go to a supervisor and have that person look the check over and initial the transaction. When bank tellers empty the automatic teller machines at night and fill the cash hoppers, there are always two people present. In most organizations, the person who creates a check is not the person who signs it.

In well-run information systems departments, with good operations security, data entry is distinct from validation and verification.⁹ For example, a data entry supervisor can check on the accuracy of data entry but should not be allowed to enter a new transaction without having a direct supervisor check the work. There is no excuse for allowing the data entry supervisor to enter a transaction and then, effectively, to authorize it. What if the entry were in error—or fraudulent? Where would the control be?

In quality assurance for program development, the principles of separation of duty are well established. For example, the person who designs or codes a program must not be the only one to test the design or the code.¹⁰ Test systems are separate from production systems; programmers must not have access to confidential and critical data that are controlled by the production staff. Programmers must not enter the computer room if they have no authorized business there; operators must not modify production programs and batch jobs without authorization.¹¹

Managers should consider giving up access to functions that have been delegated to two or more subordinates. Maintaining such access could cause more problems than it solves, but in an emergency, access and control could easily be restored. This attitude exemplifies the concept of separation of duties.

In early 1995, the financial world was rocked by the collapse of the Barings PLC investment banking firm. The Singapore office chief, Nicholas Leeson, was accused of having played the futures market with disastrous consequences.¹² The significant point is that he managed to carry out all the orders without independent overview. Had there been effective separation of duties, the collapse would not have occurred.

Another shocking example occurred when a system administrator at UBS PaineWebber, upset about the poor salary bonus he received, deployed malicious code on the company's network. But before quitting his job, he wrote a program that would delete files and wreak havoc on the company's network. By creating a logic bomb, he was able to impact over 1,000 servers and 17,000 individual workstations. Additionally, buying puts against UBS, he would profit from that attack.

A related approach is called dual control. As an example of dual control, consider the perennial problem of having secret passwords not known to managers who sometimes need emergency access to those passwords. This problem does not generally apply to ordinary users' passwords, which normally can be reset by a security administrator without having to know the old password. This temporary password should be changed to a truly secret string by the user, after a single logon. However, to guard against the absence of the only person who has the root password for a system, possibly because the others are on vacation, it is advisable to store a written copy of the root password in a truly opaque envelope, seal it, sign the seal, tape over the seal with nonremovable tape, and then store the envelope in a corporate safe. The principle of dual control dictates that such a copy of the root password should be accessible only if two officers of the organization simultaneously sign for it when taking it out of the corporate safe.

In conclusion, managers should think about the structure of control over information as they design security policies, so that the safeguards afforded by separation of duties or dual control are present throughout all systems.

45.3.8 No Unauthorized Security Probes.

In general, all managers—not just security officers—should always be looking for vulnerabilities and opportunities for improving security. However, no one should ever test production systems for vulnerabilities without the full cooperation of the corporate information protection group, and only with authorization of the right executives. Written approval for explicit tests of security are informally known as get-out-of-jail cards because without them, employees can go to jail for unauthorized probes of system security.

The case of Randal Schwartz, a consultant to Intel Corporation in Beaverton, Oregon, is a salutary example for employees of the dangers of unauthorized security probes. He was convicted of hacking his way into Intel Corporation computer networks in what he claimed was an effort to point out security flaws while he was working there as a consultant. The would-be security expert failed to notify his employers of his intentions and forgot to get authorization for stealing passwords and making unauthorized changes in system software. He was convicted of three felony counts in July 1995 and was fined $68,000 in restitution as well as being put under five years of probation and having to perform 480 hours of community service.¹³

A counterexample to warn managers of misplaced zeal in suppressing cooperation with law enforcement is the case of Shawn Carpenter, a network intrusion detection security analyst at Sandia National Laboratories. He was fired by publicity-shy administrators when he worked with law enforcement officials to track down extensive penetrations of U.S. national security assets. An investigation code-named TITAN RAIN began in late 2003.¹⁴ Carpenter noted a flood of expert hacker activity focusing on data theft from a wide range of national security interests. Carpenter discovered that “the attacks emanated from just three Chinese routers that acted as the first connection point from a local network to the Internet.”¹⁵ Carpenter worked with U.S. Army Counterintelligence and FBI investigators to learn more about the attacks and the attackers. Carpenter never used Sandia's or government-owned equipment or network resources in his investigations. Administrators applied Sandia Internal Directive 12 ISNL ID012 which “specifically prohibits employees from speaking with local, state or Federally-elected officials.” In 2007, Carpenter was awarded $4.3 million for wrongful termination.¹⁶

45.4 TERMINATION OF EMPLOYMENT.

Taking our security mandate in the widest sense, we have to protect our employer and ourselves against potential damage from unethical, disgruntled, or incompetent employees, and against the legal consequences of improper firing procedures. Common sense and common decency argue for humane and sensitive treatment of people being fired and those who are resigning. Firing people is a stressful time for everyone concerned, and it usually leads to increased security risks.¹⁷ Managers should do everything in their power to ensure a courteous, respectful, and supportive experience when terminating employment.

45.4.1 Resignations.

Potentially the most dangerous form of employment termination is a resignation. The problem is summed up in the caption of a cartoon where a savage attack is in progress against a medieval town that is in flames; a clan war chieftain confronts a singed and dirty warrior. “No, no, Thor! Pillage, THEN burn!” Like the war chieftain, employees rarely resign without planning. An employee may have an indefinite period during which the action is imminent, while the employer may remain unaware of the situation. If the employee has bad feelings toward, or evil designs on, the current employer, there is a period of vulnerability frequently unknown to management. Dishonest or unbalanced employees could steal information or equipment, cause immediate or delayed damage using programmatic techniques, or introduce faulty data into the system.

The policies discussed in previous sections of this chapter should reduce the risks associated with resignations. The manager's goal should be to make resignations rare and reasonable. By staying in touch with employees' feelings, moods, and morale, managers can identify sources of strain and perhaps resolve problems before they lead to resignations and their associated security risks.

45.4.2 Firings.

Firings appear to give the advantage to employers, but there may be complications.

45.4.2.1 Timing.

One advantage is that the time of notification to a fired employee can be controlled to minimize effects on the organization and its business. For example, employers might find it best to fire an incompetent, or no longer acceptable, employee before beginning an important new project or after a particular project has finished.

Some people argue that to reduce the psychological impact on other employees, they should fire people at the end of the day, perhaps even before a long weekend. The theory is that the practice gives everyone a cooling-off period outside working hours. These managers say they do not want the buzz of conversation and speculation that often follow a firing to intrude on the workday. This policy fails to regard the psychological stress to employees who have a ruined weekend and no way of responding constructively to their potentially catastrophic loss of a regular income.

A better approach to this stressful task is to fire people early on Monday morning in order to provide an unrushed exit interview and, if appropriate, job counseling to help the employee prepare for job hunting. In this scenario, the regrettable necessity (from the manager's point of view) of terminating employment is buffered by professionals in the HR department, who can give the departing employee a sense of hope and some practical as well as emotional support in this difficult time. A humane attitude is particularly important during downsizing, or when plants are closed, and many people are being fired—one of the worst experiences possible for both employees and managers, and an event that has serious security implications.

In one large company, the personnel department asked their information security staff to suspend the access codes for more than 100 people who were to be fired at 18:00 on Tuesday. On Wednesday at 08:00, the security staff began receiving phone calls asking why the callers' logon IDs no longer worked. It turned out that the personnel staff had failed to inform the terminated employees on time. The psychological trauma to both the employees who were fired and to the security staff was severe. Several security staff members were sent home in tears to recuperate from their unfortunate experience. The harm done to the fired employees was even more serious, and the effect on morale of the remaining employees was a disaster. There could well have been violence in that situation.

45.4.2.2 Procedures upon Termination.

In both resignations and firings, security consultants unanimously advise instant action. Not for them the leisurely grace period during which employees wind down their projects, or hand them off to other staff members. Security officers are a hard lot, and they usually advise this scenario: In a formal exit interview, and in the presence of at least two managers, an officer of the employer informs the employee politely that his or her employment is at an end. During the exit interview, the officer explains the reasons for termination of employment. The officer gives the employee a check for the period of notification required by law or by contract, plus any severance pay due. Under supervision, preferably in the presence of at least one security guard, the employee is escorted to the accustomed work area and invited to remove all personal belongings and place them in a container provided by the employer. The employee returns all company badges, IDs, business cards, credit cards, and keys, and is then ushered politely outside the building.

At the same time all this is happening, all security arrangements must be changed to exclude the ex-employee from access to the building and to all information systems. Such restrictions can include:

Striking the person's name from all security post lists of authorized access
Explicitly informing guards that the ex-employee may not be allowed into the building, whether unaccompanied or accompanied by an employee, without special authorization by named authorities
Changing the combinations, reprogramming access card systems, and replacing physical keys if necessary for all secure areas to which the individual used to have authorized access
Removing or changing all personal access codes known to have been used by the ex-employee on all secured computer systems, including microcomputers, networks, and mainframes
Informing all outside agencies (e.g., tape storage facilities and outsourced functions) that the ex-employee is no longer authorized to access any of the employer's information or to initiate security or disaster recovery procedures
Requesting cooperation from outside agencies in informing the employer if ex-employees attempt to exercise unauthorized functions on behalf of their former employer

The task is made more difficult by seniority, or if the ex-employee played an important role in disaster recovery or security. The employer should be assiduous in searching out all possible avenues of entry resulting from the person's position of responsibility and familiarity with security procedures.

In one story circulating in the security literature, an employee was fired without the safeguards just suggested. He returned to the workplace the next Saturday with his station wagon and greeted the security guard with the usual friendliness and confidence. The guard, who had known him for years, was unaware that the man had been fired. The ex-employee still had access codes and copies of keys to secure areas. He entered the unattended computer room, destroyed all the files on the system, and then opened the tape vault. He engaged the guard's help in loading all the company's backup tapes into his station wagon. The thief even complained about how he had to work on weekends. This criminal then tried to extort money from the company by threatening to destroy the backup tapes, but he was found by police and arrested in time to prevent a disaster for his ex-employer.

This story emphasizes the importance of reaching everyone who needs to know that an employee no longer works for the enterprise.

45.4.2.3 Support in Involuntary Terminations.

Security does sometimes prevent a farewell party, one obvious sign of friendliness. The problem with a farewell party at work is that employees leaving under a cloud may feel humiliated when other people get a party but they do not. Generally it makes sense to treat all departing employees the same, even if the termination is involuntary.

However, nothing stops a humane and sensitive employer from encouraging employees to arrange an after-hours party even for people who have been fired. If a resignation is on good terms, however, the employer may even arrange a celebration, possibly during working hours and perhaps at company cost, without having to worry about possible negative repercussions.

A firing, or a resignation on poor terms, has two psychological dangers: effects on the individual concerned of embarrassment, shame, and anger, and effects on the remaining staff of rumors, resentment, and fear. Both kinds of problems can be minimized by publishing termination procedures in organization documents provided to all employees; by requiring all employees to sign a statement confirming that they have read and agreed to the termination procedures; and by consistent application of the termination procedures.

The personal shock of being fired can be reduced by politeness and consideration consistent with the nature of the reasons for being fired, although even nasty people should not be subject to verbal or physical abuse, no matter how bad their behavior. Their treatment should be consistent with that meted out to other fired employees, and there should be generous severance arrangements, if possible.

Organizational turmoil can be reduced by convening organization-wide or departmental meetings to brief remaining employees on the details of a significant termination. Open discussions, including how people feel about the rupture of relationships, can be helpful. The remaining employees may have to suffer grief, as a process, not a state. Grief is a normal and healthy response to disruption of relationships (e.g., death of a loved one, divorce, and even the loss of a coworker). Some people value social relationships more than other aspects of their work, and they may be especially affected by firings. Grief involves stages of denial, anger, mourning, and recovery. Trying to forestall such responses by denying that people legitimately have feelings is foolish and counterproductive. It is far better to encourage those who are upset to voice their feelings, and to engage in constructive discussion, than to clamp down in a futile attempt to suppress discussion.

45.4.2.4 Style of Termination.

The way an organization handles job termination affects more than internal relations; it also influences its image in the outside world. Prospective employees will think twice about accepting job offers from an organization that mistreats departing employees. Clients may form a negative impression of a company's stability if it abuses its own people. Investors also may look askance at a firm that gets a reputation for shoddy treatment of employees. Bad relations among managers and employees are a warning sign of long-term difficulties.

45.4.2.5 Legal Issues.

There is another dimension to employment termination that depends on local laws and the litigation environment. The United States, for example, is said to be one of the most litigious nations on the planet, perhaps because of the high number of lawyers compared with the total population.

The list that follows is not legal advice; for legal advice, consult an attorney. However, simple experience does teach some principles, even without going to law school. Here are some pragmatic guidelines for preventing legal problems related to firings for cause:

Build a solid, documented case for firing someone before acting.
Keep good records, be objective, and get the opinions of several trustworthy people on record.
Offer the delinquent employee all reasonable chances to correct his or her behavior.
Give the employee clear feedback long before considering firing.

Timing is important in employee relations, as it is in almost everything else we do. In particular, if an employee is found to be behaving improperly or illegally, there must be no marked delay in dealing with the problem. Such persons could sue the employer and individual managers. They could argue in court that the very fact that there was a delay in firing them was proof that the firing was due to other factors such as personality conflicts, racism, or sexism. A well-defined procedure for progressing through the decision will minimize such problems.

The critical legal issue is consistency. If rules such as those just described for the day of the firing are applied haphazardly, there could easily be grounds for complaining of unfairness. Those to whom the rules were strictly applied would justifiably feel implicitly criticized. How would we feel if we were singled out by having guards check what we took home from our desk—if everyone else got a party and two weeks' notice? Such inconsistency would be grounds for legal proceedings for defamation of character. The company might lose and it might win, but what nonlawyer wants to spend time in court?

Another issue that arises in connection with firings and resignations involves nondisclosure agreements. All such agreements must be included in a contract signed before the prospective employee begins work; it is almost impossible to force an existing employee to sign such an agreement.

Managers, the legal department, and the personnel department should study the necessity and feasibility of instituting a legally binding contractual obligation to protect their company's confidential information for a specified period of time after leaving. One typically does not impose indefinite gags on people, as one year seems to be normal. (However, there are exceptions. Oprah Winfrey insists that all employees who work at Harpo sign a lifelong confidentiality agreement, which an Illinois appeals court upheld when a former employee tried to write a book about the media mogul.) For this measure to be meaningful, the initial employment contract should stipulate that departing employees must reveal their new employer, if there is one at that time.

Noncompetition agreements require the employee to refrain from working for direct competitors for perhaps a year after termination of employment. The key to a successful clause here is that there be a strict, operational definition of “direct competitors.” Because this limitation can be an onerous impediment to earning a living, many jurisdictions forbid such clauses.

45.5 SUMMARY.

Some of the key recommendations from this chapter follow.

Hiring

Investigate the accuracy of every likely job candidate's résumé.
Perform background investigations when hiring for sensitive positions.
Arrange for experienced staff members to interview candidates and discuss inconsistencies.
Require signing of a legally appropriate employment contract.

Ongoing Management

Identify and resolve opportunities for abuse.
Assign access functions on the basis of need, not social status.
Identify indispensable employees, and arrange for cross-training of other staff.
Require employees to take their vacations, or to rotate their job functions periodically, so as to assure operational continuity and as a possible indication of fraud.
Note and respond to sudden changes in behavior and mood; involve human resources as appropriate.
Enforce separation of duties and dual control for sensitive functions.
Do not engage in, or tolerate, unauthorized probes of system security.

Termination of Employment

Provide an opportunity for fired employees to receive counseling and support.
Ensure that the HR department collaborates with the information technology group to take all appropriate security measures when anyone leaves the employment of the enterprise.
Ensure that firings do not cause long-term morale problems.
Follow the guidance of corporate counsel to avoid wrongful dismissal suits.
Use legally appropriate nondisclosure and noncompetition clauses in employment contracts.

In summary, information security depends on coordination with HR personnel to ensure consistent policies for hiring, ongoing management, and termination of employment.

45.6 FURTHER READING

Armstrong, M. A Handbook of Human Resource Management Practice, 10th ed. London, UK: Kogan Page, 2006.

Bologna, J. Handbook on Corporate Fraud: Prevention, Detection, Investigation. Boston: Butterworth-Heinemann, 1993.

Dresang, D. L. Personnel Management in Government Agencies and Nonprofit Organizations, 5th ed. London, UK: Longman, 2008.

Mathis, R. L., and J. H. Jackson. Human Resources Management, 9th ed. Cincinnati: South-Western Publishing, 1999.

McNamara, C. “Human Resources Management,” 2007, www.mapnp.org/library/hr_mgmnt/hr_mgmnt.htm.

NAPA (National Academy of Public Administration: Human Resources Management Consortium), 2008, www.napawash.org/pc_human_resources.

NOLO. “Human Resources,” 2008. Includes links to “Hiring Employees,” “Personnel Policies & Practices,” “Preventing Discrimination,” “Ensuring Privacy in the Workplace,” “When Workers Leave,” “Firing Employees,” and other topics; www.nolo.com/resource.cfm/catid/cb627bad-f421-4af1-ae5c9d84021bb999/111/259/.

SHRM (Society for Human Resource Management). White Papers, 2008, www.shrm.org/hrresources/whitepapers_published/toc.asp.

45.7 NOTES

1. R. Richardson, (2007). “CSI Computer Crime and Security Survey,” Computer Security Institute, 2007, www.gocsi.com/forms/csLsurvey.jhtml (free; registration required).

2. For guidance on setting policies, see Chapter 44 in this Handbook; for details of email and Internet usage policies, see Chapter 48; for security awareness advice, see Chapter 49; for applications of the principles of social psychology in reinforcing a culture of security, see Chapter 50.

3. Peter Levine, quoted in www.virtualhrscreening.com/background/whybackground.htm.

4. Department of Justice Press Release, “Jury Finds Former Coke Employee Guilty in Conspiracy to Steal and sell Coca-Cola Trade Secrets,” February 2, 2007, http://atlanta.fbi.gov/dojpressrel/pressrel07/tradesecrets020207.htm.

5. See Chapter 10 in this Handbook for more details on understanding computer crime statistics.

6. “Around the Nation: 2d Man Pleads Guilty in Wells Fargo Case,” New York Times, August 12, 1981, p A.10 (fee required), http://tinyurl.com/5byd6c.

7. L. J. Kushner, “Career Management 101 for Information Security Pros,” Information Security, June 29, 2006, http://searchsecurity.techtarget.com/generic/0,295582,sid14_gci1196912,00.html.

8. L. Stack, “Employees Behaving Badly: Combating Desk Rage,” Human Resources, October 5, 2004, www.humanresourcesmagazine.com.au/articles/C6/0C0251C6.asp?Type=60&Category=903.

9. See Chapter 47.

10. See Chapter 39.

11. See Chapter 47.

12. Nicholas Leeson official Web site: www.nickleeson.com/biography/index.html.

13. S. Pacenka, “Computer Crime?” State of Oregon v. Randal Schwartz, Washington County Circuit Court C94-0322CR, 2007. Complaint brought by Mr. Schwart's client, the Intel Corporation; www.lightlink.com/spacenka/fors/.

14. I. Winkler, “Guard against Titan Rain Hackers,” Computerworld, October 20,2005, www.computerworld.com/securitytopics/security/story/0,10801,105585,00.html.

15. N. Thornburgh, “The Invasion of the Chinese Cyberspies (and the Man Who Tried to Stop Them),” TIME, August 29, 2005, www.time.com/time/magazine/printout/0,8816,1098961,00.html.

16. J. Vijayan, “Reverse Hacker Wins $4.3M in suit against Sandia Labs: Shawn Carpenter used his own hacking techniques to probe outside breach,” Computerworld, February 14, 2007, www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9011283.

17. S. Terlap and E. Morath, “Final Day at Ford Bittersweet for Scores of Salaried Workers,” Detroit News, March 1, 2007, http://detroitnews.com/apps/pbcs.dll/article?AID=/20070301/AUTO01/703010359/1148.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for CHAPTER 45: EMPLOYMENT PRACTICES AND POLICIES

Create new playlist

Sign In

Sign Up

CHAPTER 45

EMPLOYMENT PRACTICES AND POLICIES

45.1 INTRODUCTION.