CHAPTER 13
Human Resource Assurance
Even though society has evolved and become dependent upon technology, human resources still determine organizational success. It is undeniable that people are often the weakest link in maintaining the information assurance chain.
Within any organization, the people who have direct or indirect interaction with information systems are the internal users, such as office employees, system operators, implementers, administrators, designers, and managers.
There are also external users such as vendors, service providers, business partners, and unregistered users who may have access to the system. There is a wide range of information assurance issues relating to how individuals gain authorization and access to the system to perform their duties. To ensure a well-managed information assurance program, highlight these issues accordingly.
Since it is difficult to predict individual behavior, this chapter discusses controls that can be implemented to minimize human risks. Examples of these controls include hiring the most qualified individuals, performing background screening, using detailed job scope and descriptions, enforcing strict access control, providing awareness and training programs, and defining a clear disciplinary process.
Recruitment
It is essential to control the recruitment process while having information assurance objectives in mind before proceeding with any recruitment exercise. There are four key areas of focus applicable to the recruitment process.
• Inclusion of information assurance aspects in the job scope and description
• Defined level of confidentiality or sensitivity required
• Filling the vacant positions with suitable candidates
• Use of legal documents to enforce information assurance
Of course, the prudent manager will apply these four areas according to the sensitivity of the position and the associated risk.
Include Security in Job Scope/Description
A well-managed organization should document the policy implications and potential personal sanctions within all job descriptions. Not all organizations have reached this level of maturity; the information assurance team could be an exemplary starting point. Chapter 9 explains organizational maturity. In the case of an effective information assurance management program, it supports the organizational structure in place. The job scope and description should give a clear explanation about employees’ roles, responsibilities, and authorities in the organization. It is crucial to state the access level during the employee’s tenure. A defined job scope and description eliminates “gray” areas about employee responsibilities and how to respond in different situations.
Every employee has some responsibility for information assurance. It is important, therefore, to ensure that each job description in the organization emphasizes the information assurance components: its scope and the tasks, roles, and responsibilities to be fulfilled. This indicates to employees the importance of information assurance in the workplace. Furthermore, it is crucial to include a section on the sanctions to be imposed on employees if they fail to adhere to the information assurance scope of their work. The job scope/descriptions should state the responsibility to comply with the overall information assurance structure, and it should define specific information assets, information assurance processes, or activities attached to the position. Minimally, all employees should execute an acceptable use policy document to demonstrate the importance of information assurance.
Organizations may consider using an information assurance workforce framework such as the United States National Initiative for Cybersecurity Education (NICE). NICE provides organizations with a common understanding and lexicon for information assurance workforces. The framework features knowledge, skills, and abilities for the following information assurance areas:
• Operate and Maintain
• Protect and Defend
• Investigate
• Collect and Operate
• Analyze
• Securely Provision
• Oversight and Development
You can find more information regarding NICE in the “Further Reading” section later in this chapter. Human resource and capital divisions should reach out and establish relationships with the information assurance program to ensure that suitable descriptions of information assurance responsibilities and penalties are included in job descriptions.
Defined Level of Confidentiality or Sensitivity
The responsible supervisor should work with the information assurance program to determine the level of information access required for the position once a post has been identified. Employees should have only sufficient access to perform their duties and to avoid disclosure of information to unauthorized personnel. There are two general principles that apply when granting access: job division and employee rights restriction.
Examples of internationally defined standards for separation of duties or job division include the following:
• Generally Acceptable Accounting Principles (GAAP)
• Sarbanes-Oxley
• OECD principles
• U.S. National Institute of Standards and Technology Minimum Security Controls
• EU internal controls
• Monetary Authority of Singapore Internal Controls
Separation of duties relates to an act of creating distinct and separate responsibilities among the employees of a critical process to prevent compromise, breaches, or fraud. It is the responsibility of the top management to define clearly each role and responsibility. The practice of job division may minimize collusion as a component of fraud, sabotage, misuse of information, theft, and other information assurance compromises. Collusion means more than one individual working together to cause some malicious act or fraud.
Access restrictions define what level of access to information and services are appropriate for individuals to carry out their official tasks. An organization should limit reliance on key employees. When such a situation is unavoidable, the organization should include it in the information assurance policy and plan for an unexpected illness, absence, or departure.
Filling the Position
The placement of individuals in a specific position in an organization should be based on the position’s confidentiality level, suitable screening, and selection methods. Place the right candidate in the right position. Consider the following during the screening and selection process:
• Aptitude testing
• Certifications and related ethics oaths
• Employment history
• Financial checks
• Qualification of academic record and professional experience
• References from previous employment and education
• Security background check
The organization should ensure that the screening and selection process is not contrary to regulations on collection and use of personal information as well as any legislation regarding labor, credit worthiness, and employment. If personnel recruitment agencies are involved, the organization’s standard outsourcing procedures should be in place to avoid any setbacks during the process. The organization must clearly define applicant privacy protection requirements to any personnel recruitment agencies.
Use of Legal Documents to Protect Information
Acceptable use policies and other binding documents and agreements should be used to remind employees of their responsibilities and commitment to the organization. Relate this to information assurance. Two documents used frequently as legally binding in organizations: employment contract and nondisclosure agreements (NDAs).
An employment contract is an agreement between the organization and the employee defining all the terms and conditions of employment. Hence, from the point of view of information assurance, the employee’s information assurance roles and responsibilities should be defined pertaining, but not limited to, copyright, data protection rights, information ownership, information management, and information classification.
Legal counsel should help frame contracts that state that the information assurance terms and conditions are applicable beyond working hours and outside the organization’s premises. The contract should emphasize that the information assurance terms and conditions apply to all organizational information and data independent of the media or system that processes, stores, or transmits it. The contract should include a provision that the terms remain in force for a specified period after termination of service or so long as the individual holds organizational information after termination. Moreover, the contract should clearly specify the legal remedies available upon noncompliance. Prior to signing the contract, the employee and employer should ensure there is a “meeting of the minds” about the contents.
An NDA defines the identity of the organization and the employee, the level of confidentiality of the information covered, and to whom information may not be divulged. Hence, an employee should sign an NDA before they have access to the organization’s information systems or facilities. Furthermore, an NDA agreement should be reviewed whenever terms and conditions of employment change.
Employment
Organizations should define and enforce information assurance controls during the course of employment to prevent personnel from misusing information facilities and to protect information systems from human error, theft, fraud, or other breaches. This section provides some of the applicable controls that an organization may consider.
Supervisory Controls
Use appropriate supervisory skills and controls to ensure that operations run smoothly. Upon employment, managers should observe new and inexperienced employees from various aspects within the limits of the law. This observation should range from activities such as patterns of accessing the information system and facilities or personal and financial problems that may affect the employee’s performance as part of a personnel evaluation. Although laws differ among economies, in the United States, private organizations may monitor employees’ communications consistent with the prior checklist.
Organizations should always consult with legal professionals to determine the legality of all employee monitoring. Of course, employers practicing workplace monitoring should have clear policies about which activities they monitor. If during monitoring, criminal activity is suspected or identified, organizations should contact their legal counsel and appropriate law enforcement.
Rotation of Duties
The National Computer Network Emergency Response Technical Team – Coordination Center of China (CNCERT/CC) points out that rotation of duties is a form of control that minimizes fraud. It may also keep an individual from staying in a job position for long periods; it helps manage their level of motivation. These controls may not be feasible in all cases, for example, in terms of the amount of time taken to train the employee for specific tasks. However, keeping an employee in one job position for extended periods may lead the employee to having too much control over certain business functions. Such employee control may lead to fraud, can lead to misuse of resources, or may even jeopardize data integrity.
The CNCERT/CC further cites (ISC)2 documents that recommend employees holding sensitive positions should be directed to consume their annual leave. With this mandatory annual leave policy, any error or fraud can be detected during the period of employee absence. As mentioned earlier, other variations that might be considered are separation of duties to ensure split knowledge and/or dual control. For split knowledge control, no one person has all the information to perform a task; thus, teamwork is crucial to complete the task. Dual control refers to two or more individuals being required to perform a task at any one time. There are times when having two individuals perform the task together is important; this is known as the two-person rule.
Monitoring and Privacy Expectations
Personal privacy is an important aspect of an employee’s life. Employees have an expectation of privacy in certain communications such as with their doctors or with their banks. Organizations are blurring the lines between work and personal life with aggressive telework programs and the use of bring-your-own-device (BYOD) programs. Organizations must ensure they clearly delineate the expectations of the employee in terms of privacy when it comes to employee-owned devices or employees using organizational equipment for personal use.
Organizations may offer a de minimus policy for employees that states an employee may use organizational information systems and resources for personal use during a break or lunch period as long as there is no material cost to the organization. de minimus is Latin for “minimal things,” and in risk assessment it refers to a level of risk too low to be concerned with. These policies are often put in place to help employee morale and bring about work-life balance. Issues arise when an employee is put under surveillance and the monitoring captures information about their personal lives where they may have an expectation of privacy. For example, an organization monitoring an employee for an allegation of misconduct may capture sensitive restricted medical information of the employee if the employee is using the de minimus policy during his lunch break with an encrypted SSL connection to his healthcare provider. If the organization is intercepting the connection and decrypting the information, it may be wading into the waters of a privacy violation. Organizations must work carefully with their legal departments to determine appropriate policies for work-life balance that ensure proper scoped monitoring can be performed when needed.
BYOD brings more privacy issues to the table. As noted in prior chapters, an organization’s information assurance requirements should follow the organization’s information onto any media or platform. Therefore, when an organization allows its information to be processed, stored, or transmitted on an employee’s personal device, it may inadvertently give up control of the information and also expose its information through the BYOD device. Should an organization decide to pursue a BYOD approach, it must ensure it has an agreement with the employee that clearly stipulates at a minimum the security requirements of the device:
• The organization may access or seize the device and all its contents for monitoring, disciplinary, legal, or information assurance reasons.
• The employee has no expectation of privacy from the organization on any device that processes, stores, or transmits the organization’s information.
While containerization software and other mobile device technologies may greatly enhance the ability of organizations to monitor BYOD devices, organizations should assume at some point the system may fail or there may be leakage from the secure container into the personal device. At that point, the organization must ensure the previous criteria have been met.
There are emerging trends toward bringing your own software (BYOS). BYOS is characterized by employees bringing their own productivity tools to the workplace. It may increase innovation and productivity; however, it introduces unmanaged vulnerabilities and makes baseline and configuration management more complicated. Information assurance professionals should make the increased risk clear to management. Additionally, in some governments there are legal implications related to licensing and also budget augmentation. For example, in the United States, it is often illegal for anyone to give the government a gift (including software) exceeding a certain value.
Periodic Monitoring
As detailed in the earlier “Supervisory Controls” section, an organization may perform periodic monitoring of employees’ activities to detect potential fraud. Clearly, this must be consistent with local laws; however, it is important for employees to know that such monitoring may take place. Security threats may be spontaneous. If a possible threat source knows his activities and access are logged, then the controls may discourage and deter such actions.
The organization should be cautioned against routine and undisclosed monitoring because this may trigger employees’ uneasiness: feelings that they are not being trusted and are being spied upon. In some countries, there are laws that protect both employer and employee regarding monitoring. As noted prior, organizations must always confirm the legality of any monitoring. In the European Union, for example, organizations are not allowed to monitor employees without notification.
Employee Training and Awareness
The recruitment process does not stop once an employee is hired. The new employee will be trained to perform job-specific tasks including information assurance duties and responsibilities. As an example, a data entry clerk should not have the same level of training as a database administrator; however, both need to know about information assurance in general. Nevertheless, a successful information assurance training or awareness program should be tailored to specific groups. It should meet organizational security objectives and achieve specific results.
Awareness, training, and education (AT&E) is an iterative process in which employees are required to update their information assurance knowledge constantly because of changes to their positions, duties, and the overall threat/risk environment. To minimize possible information assurance risks, grant employees minimal or restricted access to the information system prior to the awareness and training program being conducted. You can find more discussion on training and awareness in Chapter 16.
Disciplinary Process
Establish and explain a formal disciplinary process for all employees specific to security breaches. The disciplinary process should ensure that employees suspected of committing any security breach are treated correctly and fairly. The impact and actions to be taken, severity of the breaches, relevant legislation, business contracts, and other relevant factors should be taken into consideration when outlining the disciplinary process.
To assure due process, use a disciplinary process based on this checklist; it should be adapted by management to ensure that all actions are in accordance not only with organization policy but also local laws and customs.
Termination or Change of Employment
Employees leave jobs or are suspended for various reasons and under voluntary or involuntary circumstances. Voluntary circumstances include study leave, vacations, family, or personal matters. Involuntary circumstances include dismissal, death, or medical incapacity.
Organizations should establish policy and procedures for secure offboarding by defining actions to be taken to handle absence and departure. The actions should include temporary or permanent closing of accounts, steps for forwarding e-mails, change of critical passwords and phone numbers, and disabling access to all systems.
Termination and suspension happen for many reasons. The employees involved have different reactions. Although termination is usually conducted in a professional manner among all parties involved, organizations may face risks when termination is adversarial. Organizations should have specific procedures to follow with each termination.
• The employee will leave the premises immediately, escorted by a security guard or manager.
• The employee will return all company assets and items of identification such as access cards or any keys that belong to the organization. If identification cannot be recovered, the employee will be added to a “No Entry Granted” list for physical security.
• The employee will receive specific instructions on whether to format the computer.
• The user account will be restricted immediately by disabling it or removing it.
• Any logs of activity and access for the employee will be archived for 90 days minimum.
Independent of the circumstances, terminated employees need to know the following:
• Their ongoing security requirements and legal responsibilities within any confidentiality agreement, employee contract, or rules of behavior
• Their terms and conditions of employment
• The effective period of those terms, conditions, and agreements
Further Reading
• AICPA. GAAP Codification. https://asc.fasb.org/imageRoot/47/49128947.pdf.
• Directive Administrative Controls. China Education and Research Network Computer Emergency Response Team (CCERT). https://www.cccure.org/Documents/HISM/015-019.html (Citing (ISC)2).
• Code of Federal Regulations, Part 5 Administrative Personnel, Subpart C—Employees Responsible for the Management or Use of Federal Computer Systems, Section 930.301 through 930.305 (5 C.F.R 930.301-305).
• Data classification. HDM Clariza Initiatives, June 16, 2007. www.trehb101.com/index.php?/archives/71-data-classifation.html.
• Financial Accounting Standards Board. GAAP Report. www.fasb.org.
• Homeland Security Presidential Directive 12. Policy for a Common Identification.
• Intelligence Community Directive Number 704. “Personnel Security Standards and Procedures Governing Eligibility for Access to Sensitive Compartmented Information and Other Controlled Access Program Information.” October 2008.
• National Institute of Standards and Technology. Special Publication 800-12, An Introduction to Computer Security: The NIST Handbook. 1996.
• National Institute of Standards and Technology Federal Information Processing Standards Publication 201-1. Personal Identity Verification (PIV) of Federal Employees and Contractors. March 2006.
• Office of Management and Budget Memorandum M-01-05, Guidance on Inter-Agency Sharing of Personal Data—Protecting Personal Privacy. December 2000.
• Office of Management and Budget Memorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002. September 2003.
• Office of Management and Budget Memorandum M-04-26, Personal Use Policies and File Sharing Technology. September 2004.
• Privacy Act of 1974 (P.L. 93-579).
• Sadowsky, G., et al. Information Technology Security Handbook, The International Bank for Reconstruction and Development. www.infodev-security.net/book/.
• Schou, Corey D., and D.P. Shoemaker. Information Assurance for the Enterprise: A Roadmap to Information Security. McGraw-Hill Education, 2007.
• Standard for Federal Employees and Contractors. August 2004.
• United States National Initiative for Cybersecurity Education (NICE). National Cybersecurity Workforce Framework. http://csrc.nist.gov/nice/framework/.
Critical Thinking Exercises
1. Consider an organization with several different levels of management and a decentralized information technology infrastructure. Marketing has its own information technology as does manufacturing and finance. What is the best approach when hiring new employees in any area to ensure they understand their information assurance responsibilities?
2. An EU-based organization operating in the United States has knowingly allowed its employees to use personal information technology to process, store, and transmit organizational information. The organization is now being sued in a U.S. court, and all information of the organization is subject to legal hold. What must be done with the information on an employee’s personal devices?
3. Recent malware attacks encrypt the storage of computers and devices for ransom. How would an organization handle this situation with information on an employee personal (BYOD) device?