Personnel Security Policies and Practices

CISSP candidates must have a basic understanding of various employment policies and practices, as well as how these policies achieve information security objectives. You should also know the various information security roles and responsibilities within an organization.

We also discuss various components of personnel security in Chapter 9.

Background checks and security clearances

Pre- and post-employment background checks can provide an employer with valuable information about an individual whom an organization is considering for a job or position within an organization. Such checks can give an immediate indication of an individual’s integrity and can help screen out unqualified applicants.

Basic background checks should be conducted for all personnel with access to sensitive information or systems within an organization. A basic background check should include

Reference checks: Personal, professional, and employment

Verification of data in employment applications and resumes: Social Security numbers, education, professional/technical certifications, military records, and previous employment

Other records: Court, local law enforcement, and motor vehicle records

Personnel who fill sensitive positions should undergo a more extensive pre-employment screening and background check, possibly including

Credit records

Drug testing

Special background investigation: FBI and INTERPOL records, field interviews with former associates, or a personal interview with a private investigator

Periodic post-employment screenings (such as credit records and drug testing) may also be necessary, particularly for personnel with access to financial data, cash, or high-value assets, or for personnel being considered for promotions to more sensitive or responsible positions.

Employment agreements

Various employment agreements should be signed when an individual joins an organization or is promoted to a more sensitive position within an organization. Typical employment agreements include non-compete/non-disclosure agreements and acceptable use policies.

Hiring and termination practices

Hiring and termination practices should be formalized within an organization to ensure fair and uniform treatment and to protect the organization and its information assets.

Standard hiring practices should include background checks and employment agreements (as we discuss in the preceding sections), as well as a formal indoctrination and orientation process. This process may include formal introductions to key organizational personnel, creating user accounts and assigning IT resources (PCs and notebook computers, for example), assigning security badges and parking permits, and a general policy discussion with Human Resources personnel.

Formal termination procedures should be implemented to help protect the organization from potential lawsuits, property theft and destruction, unauthorized access, or workplace violence. Procedures should be developed for various scenarios including resignations, termination, layoffs, accident or death, immediate departures versus prior notification, and hostile situations. Termination procedures may include

Having the former employee surrender keys, security badges, and parking permits

Conducting an exit interview

Making security escort the former employee to collect his or her personal belongings and/or to leave the premises

Asking the former employee to return company materials (notebook computers, mobile phones and devices, PDAs, and so on)

Changing door locks and system passwords

Formally turning over duties and responsibilities

Removing network and system access and disabling user accounts

Enforcing policies regarding retention of e-mail, personal files, and employment records

Notifying customers, partners, vendors, and contractors, as appropriate

Job descriptions

Concise job descriptions that clearly identify an individual’s responsibility and authority, particularly on information security issues, can help

Reduce confusion and ambiguity.

Provide legal basis for an individual’s authority or actions.

Demonstrate any negligence or dereliction in carrying out assigned duties.

Security roles and responsibilities

The truism that information security is “everyone’s responsibility” is too often put into practice as Everyone is responsible, but no one is accountable. To avoid this pitfall, specific roles and responsibilities for information security should be defined in an organization’s security policy, individual job or position descriptions, and third-party contracts. These roles and responsibilities should apply to employees, consultants, contractors, interns, and vendors. And they should apply to every level of staff, from C-level executives to line employees. Several broad categories for information security roles and common responsibilities are discussed in the following sections.

Management

Senior-level management is often responsible for information security at several levels, including the role as an information owner, which we discuss in the following section. However, in this context, management has a responsibility to demonstrate a strong commitment to an organization’s information security program through the following actions:

Creating a corporate information security policy: This policy should include a statement of support from management and should also be signed by the CEO, COO, or CIO.

Leading by example: A CEO who refuses to carry a mandatory identification badge or who bypasses system access controls sets a poor example.

Rewarding compliance: Management should expect proper security behavior and acknowledge, recognize, and/or reward employees accordingly.

Management is always ultimately responsible for an organization’s overall information security and for any information security decisions that are made (or not made). Our role as information security professionals is to report security issues and to make appropriate information security recommendations to management.

Owner

An information owner is normally assigned at an executive or senior- management level within an organization, such as director or vice-president. An information owner doesn’t legally own the information assigned to him or her; the information owner is ultimately responsible for safeguarding assigned information assets and may have fiduciary responsibility or be held personally liable for negligence in protecting these assets under the concept of due care.

For more on due care, read Chapter 12.

Typical responsibilities of an information owner may include

Determining information classification levels for assigned information assets

Determining policy for access to the information

Maintaining inventories and accounting for assigned information assets

Periodically reviewing classification levels of assigned information assets for possible downgrading, destruction, or disposal

Delegating day-to-day responsibility (but not accountability) and functions to a custodian

Custodian

An information custodian is the individual who has day-to-day responsibility for protecting information assets. IT systems administrators or network administrators often fill this role. Typical responsibilities may include

Performing regular backups and restoring data, when necessary

Ensuring that directory and file permissions are properly implemented and provide sufficient protection

Assigning new users to appropriate permission groups and revoking user privileges, when required

Maintaining classified documents or other materials in a vault or secure file room

The distinction between owners and custodians, particularly regarding their different responsibilities, is an important concept in information security management. The information owner has ultimate responsibility for the security of the information, whereas the information custodian is responsible for the day-to-day security administration.

Users

An end-user (or user) includes just about everyone within an organization. Users aren’t specifically designated. They can be broadly defined as anyone who has authorized access to an organization’s internal information or information systems. Typical user responsibilities include

Complying with all security requirements defined in organizational policies, standards, and procedures; applicable legislative or regulatory requirements; and contractual requirements (such as non-disclosure agreements and Service Level Agreements).

Exercising due care in safeguarding organizational information and information assets.

Participating in information security training and awareness efforts.

Reporting any suspicious activity, security violations, security problems, or security concerns to appropriate personnel.

Separation of duties and responsibilities

The concept of separation (or segregation) of duties and responsibilities ensures that no single individual has complete authority and control over a critical system or process. This practice promotes security in the following ways:

Reduces opportunity for waste, fraud, or abuse.

Provides two-man control (also called dual-control or two-person integrity).

Reduces dependence on individuals (see the section “Avoiding single points of failure,” earlier in this chapter).

Smaller organizations may find this practice difficult to implement because of limited personnel and resources.

Job rotation

Job rotation (or rotation of duties) provides another effective security control with many benefits to an organization. Similar to the concept of separation of duties and responsibilities (discussed in the preceding section), job rotations involve regularly transferring key personnel into different positions or departments within an organization. Job rotations benefit an organization in the following ways:

Reduce opportunity for waste, fraud, or abuse.

Reduce dependence, through cross-training opportunities, on individuals, as well as promote professional growth.

Reduce monotony and/or fatigue for individuals.

As with the practice of separation of duties, job rotations can be difficult to implement in smaller organizations.

A side benefit of job rotations is that people are far less likely to commit fraudulent activities, for fear that they will be caught if they are unexpectedly rotated into another position.