Administrative Management and Control

An organization needs clearly documented policies and procedures in order to facilitate the use and protection of information. There are numerous conceptual best practices for protecting the business and its important information assets. These best practices all have to do with how people — not technology — work together to support the business.

This is collectively known as administrative management and control.

Job requirements and qualifications

Even before posting a “Help Wanted” sign (Do people still do that?!) or an ad on a job search website, an employer should ensure that the position to be filled is clearly documented and contains a complete description of the job requirements, the qualifications, and the scope of responsibilities and authority.

The job (or position) description should be created as a collaborative effort between the hiring manager — who fully understands the functional requirements of the specific position to be filled — and the human resources manager — who fully understands the applicable employment laws and organizational requirements to be addressed.

Having a clearly documented job (or position) description can benefit an organization for many reasons:

check.png The hiring manager knows (and can clearly articulate) exactly what skills a certain job requires.

check.png The human resources manager can pre-screen job applicants quickly and accurately.

check.png Potential candidates can ensure they apply only for positions for which they’re qualified, and they can properly prepare themselves for interviews (for example, by matching their skills and experiences to the specific requirements of the position).

check.png After the organization fills the position, the position description helps to reduce confusion about what the organization expects from the new employee and provides objective criteria for evaluating performance.

cross-reference.eps See Chapter 6 for more information on job descriptions.

Background checks and verification

An organization should conduct background checks and verify application information for all potential employees and contractors. This process can help to expose any undesirable or unqualified candidates. For example

check.png A previous criminal conviction may immediately disqualify a candidate from certain positions within an organization.

check.png Even when the existence of a criminal record itself doesn’t automatically disqualify a candidate, if the candidate fails to disclose this information in the job application or interview, it should be a clear warning sign for a potential employer.

check.png Some positions that require a U.S. government security clearance are available only to U.S. citizens.

check.png A candidate’s credit history should be examined if the position has significant financial responsibilities or handles high-value assets, or if a high opportunity for fraud exists.

check.png It has been estimated that as many as 40 percent of job applicants “exaggerate the truth” on their résumés and applications. Common sources of omitted, exaggerated, or outright misleading information include employment dates, salary history, education, certifications, and achievements. Although the information itself may not be disqualifying, a dishonest applicant should not be given the opportunity to become a dishonest employee.

Most background checks require the written consent of the applicant and disclosure of certain private information (such as the applicant’s Social Security number). Private information obtained for the purposes of a background check, as well as the results of the background check, must be properly handled and safeguarded in accordance with applicable laws and the organization’s records retention and destruction policies.

Background checks and verification can include the following information:

check.png Criminal record

check.png Citizenship

check.png Credit history

check.png Employment history

check.png Education

check.png Certifications and licenses

check.png Union and association membership

cross-reference.eps See Chapter 6 for more information on background checks and security clearances.

Separation of duties and responsibilities

The concept of separation (or segregation) of duties and responsibilities ensures that no single individual has complete authority and control of a critical system or process. This practice promotes security in the following ways:

check.png Reduces opportunities for fraud or abuse: In order for fraud or abuse to occur, two or more individuals must collude or be complicit in the performance of their duties.

check.png Reduces mistakes: Because two or more individuals perform the process, mistakes are less likely to occur or mistakes are more quickly detected and corrected.

check.png Reduces dependence on individuals: Critical processes are accomplished by groups of individuals or teams. Multiple individuals should be trained on different parts of the process (for example, through job rotation, discussed in the following section) to help ensure that the absence of an individual doesn’t unnecessarily delay or impede successful completion of a step in the process.

Here are some common examples of separation of duties and responsibilities within organizations:

check.png A bank assigns the first three numbers of a six-number safe combination to one employee and the second three numbers to another employee. A single employee isn’t permitted to have all six numbers, so a lone employee is unable to gain access to the safe and steal its contents.

check.png An accounting department might separate record entry and internal auditing functions, or accounts payable and check disbursing functions.

check.png A system administrator is responsible for setting up new accounts and assigning permissions, which a security administrator then verifies.

check.png A programmer develops software code, but a separate individual is responsible for testing and validation, and yet another individual is responsible for loading the code on production systems.

check.png Destruction of classified materials may require two individuals to complete or witness the destruction.

check.png Disposal of assets may require an approval signature by the office manager and verification by building security.

In smaller organizations, separation of duties and responsibilities can sometimes be difficult to implement because of limited personnel and resources.

Job rotation

Job rotation (or rotation of duties) is another effective security control that gives many benefits to an organization. Similar to the concept of separation of duties and responsibilities, job rotations involve regularly (or randomly) transferring key personnel into different positions or departments within an organization, with or without notice. Job rotations accomplish several important organizational objectives:

check.png Reduce opportunities for fraud or abuse. Regular job rotations can accomplish this objective in the following two ways:

• People hesitate to set up the means for periodically or routinely stealing corporate information because they know that they could be moved to another shift or task at almost any time.

• People don’t work with each other long enough to form collusive relationships that could damage the company.

check.png Eliminate single points of failure. By ensuring that numerous people within an organization or department know how to perform several different job functions, an organization can reduce dependence on individuals and thereby eliminate single points of failure when an individual is absent, incapacitated, no longer employed with the organization, or otherwise unavailable to perform a critical job function.

check.png Promote professional growth. Through cross-training opportunities, job rotations can help an individual’s professional growth and career development, and reduce monotony and/or fatigue.

Job rotations can also include changing workers’ workstations and work locations, which can also keep would-be saboteurs off balance.

As with the practice of separation of duties, small organizations can have difficulty implementing job rotations.

Mandatory vacations

Requiring employees to take one or more weeks of their vacation in a single block of time gives the organization an opportunity to uncover potential fraud or abuse. Employees engaging in illegal or prohibited activities are sometimes reluctant to be away from the office, concerned that these activities will be discovered in their absence. This may occur as a result of an actual audit or investigation, or when someone else performing that person’s normal day-to-day functions in their absence uncovers an irregularity. Less ominously, mandatory vacations may help in other ways:

check.png Reduce individual stress and therefore reduce opportunities for mistakes or coercion by others.

check.png Discover inefficient processes when a substitute performs a job function more quickly or discovers a better way to get something done.

check.png Reveal single points of failure and opportunities for job rotation (and separation of duties and responsibilities) when a process or job function idles because the only person who knows how to perform that function is lying on a beach somewhere.

Need-to-know

The concept of need-to-know states that only people with a valid need to know certain information in order to perform their job functions, should have access to that information. In addition to having a need-to-know, an individual must have an appropriate security clearance level in order for access to be granted. Conversely, an individual with the appropriate security clearance level, but without a need-to-know, should not be granted access.

One of the most difficult challenges in managing need-to-know is the use of controls that enforce need-to-know. Also, information owners need to be able to distinguish I need-to-know from I want-to-know, I-want-to-feel-important, and I’m-just-curious.

Need-to-know is a closely related concept to least privilege, discussed in the next section, and can help organizations implement the concept of least privilege in a practical manner.

Least privilege

Least privilege is closely related to need-to-know, but least privilege applies more to functionality than to access of data. The principle of least privilege is that persons should have the capability to perform only the tasks (or have access to only the data) that are required to perform their primary jobs, and no more.

Accumulation of privileges

In many organizations, people frequently transfer between jobs and/or departments (see the earlier section on job rotations). Along the way, they’ll need new access and privileges to do their new jobs. Far too often, organizational security processes do not adequately ensure that access rights that are no longer required by an individual are actually revoked. Instead, individuals accumulate privileges, and over a period of many years an employee can have far more access and privileges than they need. We call this accumulation of privileges, and it’s a real problem for organizations — sort of the antithesis of least privilege!

To give an individual more privileges and access than required invites trouble. Offering the capability to perform more than the job requires may become a temptation that results, sooner or later, in an abuse of privilege.

For example, giving a user full permissions on a network share, rather than just read and modify rights to a specific directory, opens the door not only for abuse of those privileges (for example, reading or copying other sensitive information on the network share) but also for costly mistakes (accidentally deleting a file — or the entire directory!). As a starting point, organizations should approach permissions with a “deny all” mentality, then add needed permissions as required.

tip.eps Least privilege is also closely related to separation of duties and responsibilities, described in the section “Separation of duties and responsibilities,” earlier in this chapter. Distributing the duties and responsibilities for a given job function among several people means that those individuals require fewer privileges on a system or resource.

instantanswer.eps The principle of least privilege states that people should have the fewest privileges necessary to allow them to perform their tasks.

User monitoring

Monitoring the activities of an organization’s users, particularly those who have special (for example, administrator) privileges, is another important security practice.

User monitoring can include casual or direct observation, analysis of security logs, inspection of workstation hard drives, random drug testing (in certain job functions and in accordance with applicable privacy laws), audits of attendance and building access records, review of call logs and transcripts, and other activities.

User monitoring, and its purposes, should be fully addressed in an organization’s written policy manuals. Information systems should display a login warning that clearly informs the user that their activities may be monitored and for what purposes. The login warning should also clearly indicate who owns the information and information assets processed on the system or network, and that the user has no expectation of privacy with regard to information stored or processed on the system. The login process should require users to affirmatively acknowledge the login warning by clicking OK or I Agree in order to gain access to the system.

An organization should conduct user monitoring in accordance with its written policies and applicable laws. Also, only personnel authorized to do so (such as security, legal, or human resources) should perform this monitoring, and only for authorized purposes.

Termination of employment

Employees who violate security policies (or any organizational policies for that matter) are subject to disciplinary action that may include termination. Usually termination is a last resort, but it may be necessary if an employee has a history of security problems.

cross-reference.eps It is vital to lock down or revoke local and remote access for a terminated employee as soon as possible, especially in cases where the employee is being fired or laid off. The potential consequences associated with continued access by an angry employee are serious enough to warrant emergency procedures for immediate termination of access. We discuss hiring and termination practices in greater detail in Chapter 6.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.118.0.145