Chapter 6. Human Resources Security
Chapter Objectives
After reading this chapter and completing the exercises, you will be able to do the following:
Define the relationship between information security and personnel practices.
Recognize the stages of the employee lifecycle.
Describe the purpose of confidentiality and acceptable use agreements.
Understand appropriate security education, training, and awareness programs.
Create personnel-related security policies and procedures.
Is it possible that people are simultaneously an organization’s most valuable asset and their most dangerous threat? Study after study cites people as the weakest link in information security. Because information security is primarily a people-driven process, it is imperative that the information security program be faithfully supported by information owners, custodians, and users.
For an organization to function, employees need access to information and information systems. Because we are exposing valuable assets, we must know our employees’ background, education, and weaknesses. Employees must also know what is expected of them; from the very first contact, the organization needs to deliver the message that security is taken seriously. Conversely, candidates and employees provide employers with a great deal of personal information. It is the organization’s responsibility to protect employee-related data in accordance with regulatory and contractual obligations.
Before employees are given access to information and information systems, they must understand organizational expectations, policies, handling standards, and consequences of noncompliance. This information is generally codified into two agreements: a confidentiality agreement and an acceptable use agreement. Acceptable use agreements should be reviewed and updated annually and redistributed to employees for signature. An orientation and training program should be designed to explain and expand upon the concepts presented in the agreements. Even long-standing employees continually need to be reeducated about security issues. NIST has invested significant resources in developing a role-based Security Education, Training, and Awareness (SETA) model. Although designed for government, the model is on target for the private sector.
We will begin this chapter with examining the security issues associated with employee recruitment, onboarding, user provisioning, career development, and termination. We will then discuss the importance of confidentiality and acceptable use agreements. Lastly, we will focus on the SETA training methodology. Throughout the chapter, we will codify best practices into human resources security policy.
FYI: ISO/IEC 27002:2013 and NIST Guidance
SP 800-12: An Introduction to Computer Security—The NIST Handbook
SP 800-16: Information Technology Security Training Requirements: A Role- and Performance-Based Model
SP 800-50: Building an Information Technology Security Awareness and Training Program
SP 800-100: Information Security Handbook: A Guide for Managers
The Employee Lifecycle
The employee lifecycle 1 model (shown in Figure 6-1) represents stages in an employee’s career. Specific employee lifecycle models vary from company to company but common stages include the following:
Recruitment—This stage includes all the processes leading up to and including the hiring of a new employee.
Onboarding—In this stage, the employee is added to the organization’s payroll and benefits systems.
User provisioning—In this stage, the employee is assigned equipment as well as physical and technical access permissions. The user provisioning process is also invoked whenever there is a change in the employee’s position, level of access required, or termination.
Orientation—In this stage, the employee settles into the job, integrates with the corporate culture, familiarizes himself with coworkers and management, and establishes his role within the organization.
Career development—In this stage, the employee matures in his role in the organization. Professional development frequently means a change in roles and responsibilities.
Termination—In this stage, the employee leaves the organization. The specific processes are somewhat dependent on whether the departure is the result of resignation, firing, or retirement. Tasks include removing the employee from the payroll and benefits system, recovering information assets such as his smartphone, and deleting or disabling user accounts and access permissions.
With the exception of career development, we are going to examine each of these stages in relation to information security concepts, safeguards, and policies.
What Does Recruitment Have to Do with Security?
The recruitment stage includes developing and publishing job descriptions, actively seeking potential employees, collecting and assessing candidate data, interviewing, conducting background checks, and either making an offer or rejecting a candidate. A significant flow of information occurs during the recruitment stage. In hopes of attracting the most qualified candidate, information about the organization is publicly revealed. In turn, potential candidates respond with a plethora of personal information.
Job Postings
The first direct contact many potential candidates have with their future employer is a help-wanted advertisement. Historically, this advertisement was either published in a newspaper or trade journal or provided to a “headhunter” who specialized in finding potential candidates. In either case, the circulation was limited in scope and time. Today, a majority of recruiting is Internet-based. Companies may post jobs on their website, use online employment search engines such as Monster.com, or use social media such as LinkedIn. The upside to this trend is reaching a wider audience of talent. The downside is that this exposure also reaches a wider audience of potential intruders and may have the unintended consequence of exposing information about an organization. Job postings are one of the sources that intruders often look to use. Why? Because job postings can be a wealth of information about an organization: personnel changes, product development, new services, opening of offices, as well as basic information such as the name and phone number of the hiring manager. All of these items can be used in social engineering attacks and provide a path to more in-depth knowledge. An idea to consider is having two versions of a job description. Version A is posted and/or published and has enough information to attract the attention and interest of a potential employee. Version B is more detailed and is posted internally and/or shared with candidates that have made the “first cut.” Version B of a job description needs to be detailed enough to convey the facets of the position and has the following characteristics:
It conveys the mission of the organization.
It describes the position in general terms.
It outlines the responsibilities of the position.
It details the necessary skill set.
It states the organization’s expectations regarding confidentiality, safety, and security. The goal of this characteristic is to deliver the message that the organization has a commitment to security and that all employees are required to honor that commitment.
What should not be in either version of the job description is information regarding specific systems, software versions, security configurations, or access controls.
Candidate Application Data
The intent of posting a job is to have candidates respond with pertinent information. Collecting candidate data is a double-edge sword. On one hand, companies need personal information to properly select potential employees. On the other hand, once this information is collected, companies are responsible for protecting the data as well as the privacy of the job seeker. Candidate data generally collected during this phase includes demographic, contact, work history, accomplishments, education, compensation, previous employer feedback, references, clearances, and certifications. If possible, legally protected non-public personal information (NPPI) such as social security number, date of birth, driver’s license or state identification number, and financial information should not be collected at this stage.
FYI: Protecting Candidate Data
“Data will be processed fairly and lawfully.
“Data will be collected for specified, legitimate purposes and not processed further in ways incompatible with those purposes.
“Data will be relevant to and not excessive for the purposes for which they are collected and used. For example, Data may be rendered anonymous when feasible and appropriate, depending on the nature of the Data and the risks associated with the intended uses.
“Data will be accurate and, where necessary, kept up-to-date. Reasonable steps will be taken to rectify or delete Candidate Data that is inaccurate or incomplete.
“Data will be kept only as long as it is necessary for the purposes for which it was collected and processed.
“Data will be processed in accordance with the individual’s legal rights (as described in these Standards or as provided by law).
“Appropriate technical, physical, and organizational measures will be taken to prevent unauthorized access, unlawful processing, and unauthorized or accidental loss, destruction, or damage to Data.”
The Interview
Top-tier candidates are often invited to one or more interviews with a cross-section of personnel. Invariably, interviewers share more information than they should with job candidates. They do so for a variety of reasons. Sometimes they are trying to impress a sought-after candidate. They may be proud of (or dismayed with) the organization. Sometimes they simply do not realize the confidentiality of the information they are sharing. For example, an interviewer might reveal that the organization is about to launch a new mobile app and that they know little about how to secure it! Creating and following an interview script (that has been vetted by information security personnel) can minimize the risk of disclosure. One of the worst mistakes that an interviewer can make is taking an early-stage job candidate on a tour of the facility. A candidate should never be allowed access to secure areas without prior authorization by the information system owner. Even then, caution should be taken.
In Practice: Job Recruitment Policy
Any information that is classified as “protected” or “confidential” must not be included in job postings or job descriptions.
Candidates will not be allowed access to any secure area unless authorized in writing by the information owner.
All nonpublic information submitted by candidates must be classified as “protected” and handled in accordance with company handling standards.
Under no circumstances will the company request that candidates provide a password to social media, blog, web, or personal email accounts.
The Office of Information Security and the Office of Human Resources will be jointly responsible for the implementation and enforcement of this policy.
Screening Prospective Employees
You are a business owner. You have spent the last ten years toiling night and day to build your business. You have invested your personal financial resources. Your reputation in the community is intertwined with the actions of the business. How much do you need to know about your newest salesperson?
You are the Chief Executive Officer (CEO) of a Fortune 1000 financial services company. You are responsible to the stockholders and accountable to the government for the actions of your business. How much do you need to know about your new Chief Financial Officer (CFO)?
You are the Head of Medicine at your local hospital. You are responsible for maintaining the health of your patients and for guaranteeing their right to privacy. How much do you need to know about the new emergency room intake nurse?
In all three cases, the information owner wants assurance that the user will treat the information appropriately in accordance with its classification. One of the standards in determining who should have access is defining the user criteria. These criteria extend to their background: education, experience, certification/license, criminal record, and financial status. In addition, we must consider the amount of power or influence the employee will have in the organization.
For example, we expect that a CFO will have access to confidential financial records and sensitive corporate strategy documents. In addition, the CFO has the power to potentially manipulate the data. In this case, we need to be concerned about both the confidentiality and the integrity of the information. It seems obvious that the CFO needs to be held to a high standard. He should have a spotless criminal record and not be under any financial pressure that may lead to inappropriate activities such as embezzlement. Unfortunately, as corporate scandals such as Enron, Adelphia, HealthSouth, and Tyco have shown us, those in power do not always act in the best interest of the organization. The organization needs to proactively protect itself by conducting background and reference checks on potential employees and directors. The same holds true for positions of less prominence, such as a salesperson or intake nurse. Although these positions may have less power, the potential for misuse still exists.
Not all potential employees need to undergo the same level of scrutiny. It is the responsibility of the information owner to set standards based on level of information access and position. It is important to have a policy that sets the minimum standards for the organization yet affords information owners the latitude to require additional or more in-depth background checks or investigations. This is an example of a policy that in the development stage may need to involve outsiders such as legal counsel or employee representatives. Many organizations have union labor. The union contract may forbid the background checks. This policy would need to be incorporated into the next round of negotiations.
The following are rules you should be aware of:
Workers’ right to privacy—There are legal limits on the information you can gather and use when making employment decisions. Workers have a right to privacy in certain personal matters, a right they can enforce by suing you if you pry too deeply. Make sure your inquiries are related to the job. Stick to information that is relevant to the job for which you are considering the worker.
Getting consent—Although not universally required by law, conventional wisdom recommends asking candidates to agree to a background check. Most organizations include this request on their application forms and require the applicant to agree in writing. By law, if a candidate refuses to agree to a reasonable request for information, you may decide not to hire the worker on that basis.
Using social media—Social media sites are increasingly being used to “learn more” about a candidate. In 2011, social media monitoring service Reppler surveyed more than 300 hiring professionals to determine when and how job recruiters are screening job candidates on different social networks. The study found that more than 90% of recruiters and hiring managers have visited a potential candidate’s profile on a social network as part of the screening process. Social media profiles include information such as gender, race, and religious affiliation. The law prohibits the use of this information for hiring. Access to this info could have the organization subject to discrimination charges. Legal experts recommend that organizations have a non-decision maker conduct the search and provide to the decision maker(s) only relevant job-related information.
Educational records—Under the Family Educational Rights and Privacy Act (FERPA), schools must have written permission in order to release any information from a student’s education record. For more information on obtaining records under FERPA, go to www.ed.gov.
Motor vehicle records—Under the federal Drivers Privacy Protection Act (DPPA), the release or use by any state DMV (or any officer, employee, or contractor thereof) of personal information about an individual obtained by the department in connection with a motor vehicle record is prohibited. The latest amendment to the DPPA requires states to get permission from individuals before their personal motor vehicle record may be sold or released to third-party marketers.
Financial history—According to the Federal Trade Commission (FTC), you may use credit reports when you hire new employees and when you evaluate employees for promotion, reassignment, and retention—as long as you comply with the Fair Credit Reporting Act (FCRA). Sections 604, 606, and 615 of the FCRA spell out employer responsibilities when using credit reports for employment purposes. These responsibilities include the requirement of notification if the information obtained may result in a negative employment decision. The Fair and Accurate Credit Transaction Act of 2003 (FACTA) added new sections to the federal FCRA, intended primarily to help consumers fight the growing crime of identity theft. Accuracy, privacy, limits on information sharing, and new consumer rights to disclosure are included in FACTA. For more information on using credit reports and the FCRA, go to www.ftc.gov.
Bankruptcies—Under Title 11 of the U.S. Bankruptcy Code, employers are prohibited from discriminating against someone who has filed for bankruptcy. Although employers can use a negative credit history as a reason not to hire, employers cannot use bankruptcy as a sole reason.
Criminal record—The law on how this information can be used varies extensively from state to state.
Workers’ Compensation history—In most states, when an employee’s claim goes through Workers’ Compensation, the case becomes public record. An employer may only use this information if an injury might interfere with one’s ability to perform required duties. Under the federal Americans with Disabilities Act, employers cannot use medical information or the fact an applicant filed a Workers’ Compensation claim to discriminate against applicants.
Table 6.1 describes the various types of background checks.
In Practice: Personnel Screening Policy
As a condition of employment, all employees, temporaries, and contractors must agree to and are subject to background screening that includes identity verification, confirmation of educational and professional credentials, credit check, and state and federal criminal check.
Comprehensive background screening will be conducted pre-hire. Criminal check will be conducted annually thereafter.
Background screening will be conducted in accordance with local, state, and federal law and regulations.
If the person will have access to “protected” or highly confidential information, additional screening may be required at the discretion of the information owner. This includes new personnel as well as employees who might be moved into such a position.
Background screening will be conducted and/or managed by the Human Resources department.
If temporary or contractor staff is provided by an agency or third party, the contract must clearly specify the agency or third-party responsibility for conducting background checks in accordance with this policy. Results must be submitted to the Human Resources department for approval.
The Office of the Information Security Office and the Office of Human Resources will be jointly responsible for the implementation and enforcement of this policy.
All information obtained in the screening process will be classified as “protected” and handled in accordance with company handling standards.
Government Clearance
Many U.S. government jobs require that the prospective employee have the requisite security clearance. Although each government agency has its own standards, in general, a security clearance investigation is an inquiry into an individual’s loyalty, character, trustworthiness, and reliability to ensure that he or she is eligible for access to national security–related information. The process to obtain clearance is both costly and time consuming. The four-phase process includes the following stages:
1. Application phase—This phase includes verification of U.S. citizenship, fingerprinting, and completion of the Personnel Security Questionnaire (SF-86).
2. Investigative phase—This phase includes a comprehensive background check.
3. Adjudication phase—During this phase, the findings from the investigation are reviewed and evaluated based on 13 factors determined by the Department of Defense. Examples of these factors include criminal and personal conduct, substance abuse, and any mental disorders.
4. Granting (or denial) of clearance at a specific level—In order to obtain access to data, clearance and classification must match. For example, in order to view Top Secret information, the person must hold Top Secret clearance. However, merely having a certain level of security clearance does not mean one is authorized to access the information. To have access to the information, one must possess two elements: a level of security clearance, at least equal to the classification of the information, and an appropriate “need to know” the information in order to perform their duties.
What Happens in the Onboarding Phase?
Once hired, a candidate transitions from a potential hire to an employee. At this stage, he or she is added to the organization’s payroll and benefits systems. In order to accomplish these tasks, the employee must provide a full spectrum of personal information. It is the responsibility of the organization to properly classify and safeguard employee data.
Payroll and Benefits Employee Data
When an employee is hired in the United States, he or she must provide proof of identity, work authorization, and tax identification. The two forms that must be completed are the Department of Homeland Security/U.S. Citizenship and Immigration Services Form I-9 Employment Eligibility Verification and the Internal Revenue Service Form W-4 Employee’s Withholding Allowance Certificate.
The purpose of Form I-9 is to prove that each new employee (both citizen and noncitizen) is authorized to work in the United States. Employees are required to provide documentation that (a) establishes both identity and employment authorization or (b) documents and establishes identity and (c) documents and establishes employment authorization. Employees provide original documentation to the employer, who then copies the documents, retains a copy, and returns the original to the employee. Employers who hire undocumented workers are subject to civil and criminal penalties per the Immigration Reform and Control Act of 1986. For an example of an I-9 form, visit www.uscis.gov/sites/default/files/files/form/i-9.pdf. As shown on page 9 of this document, the required documents may contain NPPI and must be safeguarded by the employer.
Completion of Form W-4 is required in order for employers to withhold the correct amount of income tax from employee pay. Information on this form includes complete address, marital status, social security number, and number of exemptions. Additionally, according to the W-4 Privacy Act Notice, routine uses of this information include giving it to the Department of Justice for civil and criminal litigation; to cities, states, the District of Columbia, and U.S. commonwealths and possessions for use in administering their tax laws; and to the Department of Health and Human Services for use in the National Directory of New Hires. They may also disclose this information to other countries under a tax treaty, to federal and state agencies to enforce federal nontax criminal laws, or to federal law enforcement and intelligence agencies to combat terrorism. The confidentiality of information provided on Form W-4 is legally protected under 26 USC § 6103: Confidentiality and Disclosure of Returns and Return Information.
What Is User Provisioning?
User provisioning is the name given to the process of creating user accounts and group membership, providing company identification, assigning access rights and permissions as well as access devices such as a token or smartcard. This process may be manual, automated (commonly referred to as an identity management system), or a combination thereof. Prior to granting access, the user should be provided with and acknowledge the terms and conditions of an acceptable use agreement. We will examine this agreement later in the chapter. The permissions and access rights a user is granted should match his or her role and responsibilities. The information owner is responsible for defining who should be granted access and under what circumstances. Supervisors generally request access on behalf of their employees. Depending on the organization, the provisioning process is managed by the Human Resources department, the Information Security department, or the Information Technology (IT) department. We will discuss role-based access controls later in the book.
In Practice: User Provisioning Policy
There will be defined and documented a user provisioning process for granting and revoking access to information resources that includes but is not limited to account creation, account management (including assignment of access rights and permissions), periodic review of access rights and permissions, and account termination.
The Office of Human Resources and the Office of Information Security are jointly responsible for the user provisioning process.
What Should an Employee Learn During Orientation?
In this stage, the employee begins to learn about the company, the job, and coworkers. Before having access to information systems, it is important that the employee understand his or her responsibilities, learn the information-handling standards and privacy protocols, and have an opportunity to ask questions. Organizational orientation is usually a Human Resources department responsibility. Departmental orientation is usually conducted by a supervisor or departmental trainer. Employee orientation training is just the beginning. Every employee should participate in SETA programs throughout his or her tenure. We’ll examine the importance of SETA later in this chapter.
Privacy Rights
The standard in most private sector organizations is that employees should have no expectation of privacy in respect to actions taken on company time or with company resources. This extends to electronic monitoring, camera monitoring, and personal searches.
Electronic monitoring includes phone, computer, email, mobile, text, Internet access, and location (GPS-enabled devices).
Camera monitoring includes on-premise locations, with the exception of cameras in restrooms or locker rooms where employees change clothes, which is prohibited by law.
Personal searches extend to searching an employee, an employee’s workspace, or an employee’s property, including a car, if it is on company property. Personal searches must be conducted in accordance with state regulations.
A company should disclose its monitoring activities to employees and get written acknowledgment of the policy. According to the American Bar Association, “an employer that fails to adopt policies or warnings or acts inconsistently with its policies or warnings may find that the employee still has a reasonable expectation of privacy.” The lesson is that companies must have clear policies and be consistent in their application. Privacy expectations should be defined in the information security policy, acknowledged in the signed acceptable use agreement, and included in login banners and warnings.
In Practice: Electronic Monitoring Policy
The company reserves the right to monitor electronic activity on company-owned information systems, including but not limited to voice, email, text and messaging communications sent, received, or stored, computer and network activity, and Internet activity, including sites visited and actions taken.
The policy must be included in the employee acceptable use agreement, and employees must acknowledge the policy by signing the agreement.
Whenever technically feasible, login banners and warning messages will remind users of this policy.
The Office of Human Resources and the Office of Information Security are jointly responsible for developing and managing electronic monitoring and employee notification.
Why Is Termination Considered the Most Dangerous Phase?
In this stage, the employee leaves the organization. This is an emotionally charged event. Depending on the circumstances, the terminated employee may seek revenge, create havoc, or take information with him. Don’t assume that a termination is friendly even if the employee resigns for personal reasons or is retiring. A 2009 Ponemon Institute survey of 945 individuals who were laid off, fired, or quit their jobs within the previous 12 months shows that 59% admitted to stealing confidential company information, such as customer contact lists, email lists, employee records, customer information and contact lists, and non-financial information, and 67% used their former company’s confidential information to leverage a new job. The survey also found that 53% of respondents downloaded information onto a CD or DVD; 42% downloaded data onto a USB drive; and 38% sent attachments to a personal email account.
How termination is handled depends on the specific circumstances and transition arrangements that have been made with the employee. However, in situations where there is any concern that an employee may react negatively to being terminated or laid off, access to the network, internal, and web-based application, email, and company owned social media should be disabled prior to informing the employee. Similarly, if there is any cause for concern associated with a resignation or retirement, all access should be disabled. If the employee is leaving to work at a competitor, best bet is to escort them off the property immediately. In all cases, make sure not to forget about remote access capabilities.
In Practice: Employee Termination Policy
Upon the termination of the relationship between the company and any employee, all access to facilities and information resources shall cease.
In the case of unfriendly termination, all physical and technical access will be disabled pre-notification.
In the case of a friendly termination, including retirement, the Office of Human Resources is responsible for determining the schedule for disabling access.
Termination procedures are to be included in the user provisioning process.
The Office of Human Resources and the Office of Information Security are jointly responsible for the user provisioning process.
The Importance of Employee Agreements
It is common practice to require employees, contractors, and outsourcers to sign two basic agreements: a confidentiality agreement (also known as a non-disclosure agreement) and an acceptable use agreement. Confidentiality agreements are in place to protect from unauthorized disclosure of information and are generally a condition of work, regardless of access to information systems. Acceptable use agreements traditionally focus on the proper use of information systems and cover such topics as password management, Internet access, remote access, and handling standards. A growing trend is to augment the agreement-distribution process with training and explanation; the ultimate goal of the acceptable use agreement is to teach the employee the importance of security, obtain commitment, and install organizational values.
What Are Confidentiality or Non-disclosure Agreements?
Confidentiality or non-disclosure agreements are contracts entered into by the employee and the organization in which the parties agree that certain types of information remain confidential. The type of information that can be included is virtually unlimited. Any information can be considered confidential—data, expertise, prototypes, engineering drawings, computer software, test results, tools, systems, and specifications.
Confidentiality agreements perform several functions. First and most obviously, they protect confidential, technical, or commercial information from disclosure to others. Second, they can prevent the forfeiture of valuable patent rights. Under U.S. law and in other countries as well, the public disclosure of an invention can be deemed as a forfeiture of patent rights in that invention. Third, confidentiality agreements define exactly what information can and cannot be disclosed. This is usually accomplished by specifically classifying the information as such and then labeling it appropriately (and clearly). Fourth, confidentiality agreements define how the information is to be handled and for what length of time. Last, they state what is to happen to the information when employment is terminated or, in the case of a third party, when a contract or project ends.
What Is an Acceptable Use Agreement?
An acceptable use agreement is a policy contract between the company and information systems user. By signing the agreement, the user acknowledges and agrees to the rule regarding how he or she must interact with information systems and handle information. It is also a teaching document that should reinforce the importance of information security to the organization. Another way to think about an acceptable use agreement is that it is a condensed version of the entire information security policy document specifically crafted for employees. It contains only the policies and standards that pertain to them and is written in language that can be easily and unequivocally understood. A sample acceptable use agreement can be found in Appendix C, “Information Systems Acceptable Use Agreement and Policy.”
Components of an Acceptable Use Agreement
An acceptable use agreement should include an introduction, information classifications, categorized policy statements, data-handling standards, sanctions for violations, contacts, and an employee acknowledgment:
The introduction sets the tone for the agreement and emphasizes the commitment of the leadership of the organization.
Data classifications define (and include examples of) the classification schema adopted by the organization.
Applicable policy statements include Authentications & Password Controls, Application Security, Messaging Security (including email, instant message, text, and video conferencing), Internet Access Security, Remote Access Security, Mobile Device Security, Physical Access Security, Social Media, Incident Use of Information Resources, Expectation of Privacy, and Termination.
Handling standards dictate by classification level how information must be stored, transmitted, communicated, accessed, retained, and destroyed.
Contacts should include to whom to address questions, report suspected security incidents, and report security violations.
The Sanctions for Violations section details the internal process for violation as well as applicable civil and criminal penalties for which the employee could be liable.
The Acknowledgment states that the user has read the agreement, understands the agreement and the consequences of violation, and agrees to abide by the policies presented. The agreement should be dated, signed, and included in the employee permanent record.
In Practice: Employee Agreements Policy
All employees must be provided with and sign a confidentiality agreement as a condition of employment and prior to being provided any company information classified as protected, confidential, or internal use.
All employees must be provided with and sign an acceptable use agreement as a condition of employment and prior to being granted access to any company information or systems.
The documents provided to the employee will clearly state the employees’ responsibilities during both employment and post-employment.
The employee’s legal rights and responsibilities will be included in the document.
Legal counsel is responsible for developing, maintaining, and updating the confidentiality agreement.
The Office of Information Security is responsible for developing, maintaining, and updating the acceptable use agreement.
The Office of Human Resources is responsible for distributing the agreement and managing the acknowledgment process.
The Importance of Security Education and Training
NIST Special Publication 800-50: Building an Information Technology Security Awareness and Training Program succinctly defines why security education and training is so important:
“Federal agencies and organizations cannot protect the confidentiality, integrity, and availability of information in today’s highly networked systems environment without ensuring that all people involved in using and managing IT:
“Understand their roles and responsibilities related to the organizational mission;
“Understand the organization’s IT security policy, procedures, and practices;
“Have at least adequate knowledge of the various management, operational, and technical controls required and available to protect the IT resources for which they are responsible.
“The ‘people factor’—not technology—is key to providing an adequate and appropriate level of security. If people are the key, but are also a weak link, more and better attention must be paid to this ‘asset.’
“A strong IT security program cannot be put in place without significant attention given to training agency IT users on security policy, procedures, and techniques, as well as the various management, operational, and technical controls necessary and available to secure IT resources. In addition, those in the agency who manage the IT infrastructure need to have the necessary skills to carry out their assigned duties effectively. Failure to give attention to the area of security training puts an enterprise at great risk because security of agency resources is as much a human issue as it is a technology issue.
“Everyone has a role to play in the success of a security awareness and training program, but agency heads, Chief Information Officers (CIOs), program officials, and IT security program managers have key responsibilities to ensure that an effective program is established agency wide. The scope and content of the program must be tied to existing security program directives and established agency security policy. Within agency IT security program policy, there must exist clear requirements for the awareness and training program.”
What Is the SETA Model?
The term security education is really a catchall for three different programs: security education, training, and awareness. NIST SP 800-16 refers to this as the SETA model and assigns specific attributes to each program. Table 6.2 shows the NIST SP 800-16 SETA model.
In times of corporate prosperity, SETA is often well funded. Unfortunately, the opposite is true as well. In times of economic downturn, these programs are scaled back or eliminated. That is a mistake. In hard times, there is even more temptation for industrial espionage, embezzlement, and thievery. This is the time information assets need the most protection. One way to ensure the continuation of SETA programs is to codify their importance in policy. The policy makers in Washington, D.C. understood this reality and included training and security awareness requirements in a number of privacy and security regulations, including FACTA, DPPA, FISMA, and HIPAA.
FYI: HIPAA Security Awareness and Training Requirement
Security reminders
Protection from malicious software
Log-in monitoring
Password management
Influencing Behavior with Security Awareness
Security awareness is defined in NIST Special Publication 800-16 as follows: “Awareness is not training. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly.” Security awareness programs are designed to remind the user of appropriate behaviors. In our busy world, sometimes it is easy to forget why certain controls are in place. For example, an organization may have access control locks to secure areas. Access is granted by entering a PIN on the lock pad or perhaps using a swipe card. If the door doesn’t click shut or someone enters at the same time, the control is effectively defeated. A poster reminding us to check and make sure the door is shut completely is an example of an awareness program.
Teaching a Skill with Security Training
Security training is defined in NIST Special Publication 800-16 as follows: “Training seeks to teach skills, which allow a person to perform a specific function.” Examples of training include teaching a system administrator how to create user accounts, training a firewall administrator how to close ports, or training an auditor how to read logs. Training is generally attended by those tasked with implementing and monitoring security controls. You may recall from previous chapters that the person charged with implementing and maintaining security controls is referred to as the information custodian.
Security Education Is Knowledge Driven
Security education is defined in NIST Special Publication 800-16 as follows: “The ‘Education’ level integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge, adds a multidisciplinary study of concepts, issues, and principles (technological and social), and strives to produce IT security specialists and professionals capable of vision and pro-active response.”
Education is management-oriented. In the field of information security, education is generally targeted to those who are involved in the decision-making process: classifying information, choosing controls, and evaluating and reevaluating security strategies. The person charged with these responsibilities is often the information owner.
In Practice: Information Security Training Policy
The Human Resources department is responsible for information security training during the employee orientation phase. The training must include compliance requirements, company policies, and handling standards.
Subsequent training will be conducted at the departmental level. Users will be trained on the use of departmental systems appropriate to their specific duties to ensure that the confidentiality, integrity, and availability (CIA) of information is safeguarded.
Annual information security training will be conducted by the Office of Information Security. All staff is required to participate and attendance will be documented. At a minimum, training will include the following topics: current information security–related threats and risks, security policy updates, and reporting of security incidents.
The company will support the ongoing education of information security personnel by funding attendance at conferences, tuition at local colleges and universities, subscriptions to professional journals, and membership in professional organizations.
Summary
Personnel security needs to be embedded in each stage of the employee lifecycle—recruitment, onboarding, user provisioning, orientation, career development, and termination. It is the responsibility of the organization to deliver the message that security is a priority even before an employee joins the organization. Job postings, job descriptions, and even the interview process need to reflect an organizational culture committed to information security. Most importantly, companies need to protect candidate data, including NPPI, demographics, work history, accomplishments, education, compensation, previous employer feedback, references, clearances, and certifications. If the candidate is hired, the obligation extends to employee information.
Prior to hire, candidates should be subject to background checks, which may include criminal record, credit record, and licensure verification. Employers should request consent prior to conducting background checks. There are legal limits on the information that can be used to make employment decisions. Rules to be aware of include worker’s right to privacy, social media restrictions, and regulatory restraints related to credit, bankruptcy, workers compensation and medical information.
Many U.S. government jobs require that the prospective employee have the requisite security clearance and in addition to the standard screening will investigate an individual’s loyalty, character, trustworthiness, and reliability to ensure that he or she is eligible for access to national security–related information.
Confidentiality and acceptable use agreements should be a condition of employment. A confidentiality agreement is a legally binding obligation that defines what information can be disclosed, to whom, and within what time frame.
An acceptable use agreement is an acknowledgment of organization policy and expectations. An acceptable use agreement should include information classifications, categorized policy statements, data-handling standards, sanctions for violations, and contact information for questions. The agreement should disclose and clearly explain the organization’s privacy policy and the extent of monitoring the employee should expect. Training and written acknowledgment of rights and responsibilities should occur prior to being granted access to information and information systems. Organizations will reap significant benefits from training users throughout their tenure. Security awareness programs, security training, and security education all serve to reinforce the message that security is important. Security awareness programs are designed to remind the user of appropriate behaviors. Security training teaches specific skills. Security education is the basis of decision making.
From a security perspective, termination is fraught with danger. How termination is handled depends on the specific circumstances and transition arrangements that have been made with the employee. Regardless of the circumstance, organizations should err on the side of caution and disable or remove network, internal, web-based application, email, and company-owned social media rights as soon as possible.
Human Resources policies include job recruitment, personnel screening, employee agreements, user provisioning, electronic monitoring, information security training, and employee termination.
Test Your Skills
Multiple Choice Questions
1. Which of the following statements best describes the employee lifecycle?
A. The employee lifecycle spans recruitment to career development.
B. The employee lifecycle spans onboarding to orientation.
C. The employee lifecycle spans user provision to termination.
D. The employee lifecycle spans recruitment to termination.
2. At which of the following phases of the hiring process should personnel security practices begin?
A. Interview
B. Offer
C. Recruitment
D. Orientation
3. A published job description for a web designer should not include which of the following?
A. Job title
B. Salary range
C. Specifics about the web development tool the company is using
D. Company location
4. Data submitted by potential candidates must be ____________.
A. protected as required by applicable law and organizational policy
B. not protected unless the candidate is hired
C. stored only in paper form
D. publicly accessible
5. During the course of an interview, a job candidate should be given a tour of which of the following locations?
A. The entire facility
B. Public areas only (unless otherwise authorized)
C. The server room
D. The wiring closet
6. Which of the following facts is an interviewer permitted to reveal to a job candidate?
A. A detailed client list
B. The home phone numbers of senior management
C. The organization’s security weaknesses
D. The duties and responsibilities of the position
7. Which of the following statements best describes the reason for conducting background checks?
A. To verify the truthfulness, reliability, and trustworthiness of the applicant
B. To find out if the applicant ever got in trouble in high school
C. To find out if the applicant has a significant other
D. To verify the applicant’s hobbies, number of children, and type of house
8. Which of the following statements best describes the background check criteria?
A. Criteria should be the same for all prospective employees.
B. Criteria should differ according to gender or ethnicity.
C. Criteria should be specific to the job for which an applicant is applying.
D. None of the above.
9. Social media profiles often include gender, race, and religious affiliation. Which of the following statements best describes how this information should be used in the hiring process?
A. Gender, race, and religious affiliation can legally be used in making hiring decisions.
B. Gender, race, and religious affiliation cannot legally be used in making hiring decisions.
C. Gender, race, and religious affiliation are useful in making hiring decisions.
D. Gender, race, and religious affiliation listed in social media profiles should not be relied upon as they may be false.
10. Under the Fair Credit Reporting Act (FCRA), which of the following statements is true?
A. Employers cannot request a copy of an employee’s credit report under any circumstances.
B. Employers must get the candidate’s consent to request a credit report.
C. Employers cannot use credit information to deny a job.
D. Employers are required to conduct credit checks on all applicants.
11. Candidate and employee NPPI must be protected. NPPI does not include which of the following?
A. Social security number
B. Credit card number
C. Published telephone number
D. Driver’s license number
12. Which of the following statements best describes the purpose of completing Department of Homeland Security/U.S. Citizenship and Immigration Services Form I-9 and providing supporting documentation?
A. The purpose is to establish identity and employment authorization.
B. The purpose is to determine tax identification and withholding.
C. The purpose is to document educational achievements.
D. The purpose is to verify criminal records.
13. The permissions and access rights a user is granted should match their role and responsibilities. Who is responsible for defining to whom access should be granted?
A. The information user
B. The information owner
C. The information custodian
D. The information author
14. Network administrators and help desk personnel often have elevated privileges. They are examples of which of the following roles?
A. The information owners
B. The information custodians
C. The information authors
D. The information sellers
15. Which of the following statements is not true of confidentiality agreements?
A. Confidentiality/non-disclosure agreements are legal protection against unauthorized use of information.
B. Confidentiality/non-disclosure agreements are generally considered a condition of work.
C. Confidentiality/non-disclosure agreements are legally binding contracts.
D. Confidentiality agreements should only be required of top-level executives.
16. Which of the following elements would you expect to find in an acceptable use agreement?
A. Handling standards
B. A lunch and break schedule
C. A job description
D. An evacuation plan
17. Which of the following statements best describes when acceptable use agreements should be reviewed, updated, and distributed?
A. Acceptable use agreements should be reviewed, updated, and distributed only when there are organizational changes.
B. Acceptable use agreements should be reviewed, updated, and distributed annually.
C. Acceptable use agreements should be reviewed, updated, and distributed only during the merger and acquisition due diligence phase.
D. Acceptable use agreements should be reviewed, updated, and distributed at the discretion of senior management.
18. Which of the following terms best describes the SETA acronym?
A. Security Education Teaches Awareness
B. Security Education Training Awareness
C. Security Education Teaches Acceptance
D. Security Education Training Acceptance
19. Posters are placed throughout the workplace reminding users to log off when leaving their workstations unattended. This is an example of which of the following programs?
A. A security education program
B. A security training program
C. A security awareness program
D. None of the above
20. A network engineer attends a one-week hands-on course on firewall configuration and maintenance. This is an example of which of the following programs?
A. A security education program
B. A security training program
C. A security awareness program
D. None of the above
21. The Board of Directors has a presentation on the latest trends in security management. This is an example of which of the following programs?
A. A security education program
B. A security training program
C. A security awareness program
D. None of the above
22. Companies have the legal right to perform which of the following activities?
A. Monitor user Internet access from the workplace
B. Place cameras in locker rooms where employees change clothes
C. Conduct a search of an employee’s home
D. None of the above
23. Sanctions for policy violations should be included in which of the following documents?
A. The employee handbook
B. A confidentiality/non-disclosure agreement
C. An acceptable use agreement
D. All of the above
24. Studies often cite ____________ as the weakest link in information security.
A. policies
B. people
C. technology
D. regulations
25. Which of the following terms best describes the impact of security education?
A. Long-term
B. Short-term
C. Intermediate
D. Forever
26. Which of the following privacy regulations stipulates that schools must have written permission in order to release any information from a student’s education record?
A. Sarbanes-Oxley Act (SOX)
B. HIPAA
C. Gramm-Leach-Bliley Act (GLBA)
D. FERPA
27. Which of the following regulations specifically stipulates that employees should be trained on password management?
A. FERPA
B. HIPAA
C. DPPA
D. FISMA
28. Best practices dictate that employment applications should not ask prospective employees to provide which of the following information?
A. Last grade completed
B. Current address
C. Social security number
D. Email address
29. After a new employee’s retention period has expired, completed paper employment applications should be ___________.
A. cross-cut shredded
B. recycled
C. put in the trash
D. stored indefinitely
30. Intruders might find job posting information useful for which of the following attacks?
A. A distributed denial of service attack (DDoS) attack
B. A social engineering attack
C. A man-in-the-middle attack
D. An SQL injection attack
1. Access an online job-posting service such as Monster.com.
2. Find two IT–related job postings.
3. Critique the postings. Do they reveal any information that a potential intruder could use in designing an attack such as the specific technology or software used by the organization, security controls, or organizational weaknesses?
4. Document your findings.
Exercise 6.2 Assessing Background Checks
1. Go online and locate one company that provides background checks.
2. What types of investigative services do they offer?
3. What information do you have to provide to them?
4. What is the promised delivery time?
5. Do they require permission from the target of the investigation?
Exercise 6.3 Learning What Your Social Media Says About You
1. What can a potential employer learn about you from your social media activities?
2. Look at the profile of a friend or acquaintance. What can a potential employer learn about him or her?
Exercise 6.4 Evaluating the Actions of Bad Employees
1. Locate a news article about a terminated or disgruntled employee who stole, exposed, compromised, or destroyed company information.
2. What could the company have done to prevent the damage?
3. In your opinion, what should be the consequences of the employee action?
Exercise 6.5 Evaluating Security Awareness Training
1. Either at your school or your place of work, locate and document at least one instance of a security awareness reminder.
2. In your opinion, is the reminder effective? Explain why or why not.
3. If you can’t locate an example of a security awareness reminder, compose a memo to senior management suggesting one.
1. Contact a local business and ask to speak with the Human Resources manager or hiring manager. Explain you are a college student working on a report and explain the information you need (see step 4) in order to complete the report. Request a 15-minute meeting.
2. At the meeting, ask the manager to explain the company’s hiring process. Be sure to ask what (if any) background checks the company does and why. Also ask for a copy of a job application form. Don’t forget to thank the person for his or her time.
3. After the meeting, review the application form. Does it include a statement authorizing the company to conduct background checks? Does it ask for any NPPI?
4. Write a report that covers the following:
Summary of meeting logistics (whom you meet with, where, and when)
Summary of hiring practices
Summary of any information shared with you that you would classify as protected or confidential (do not include specifics in your summary).
Project 6.2: Evaluating an Acceptable Use Agreement
1. Locate a copy of your school or workplace acceptable use agreement (or equivalent document).
2. Write a critique of the agreement. Do you think that it includes enough detail? Does it explain why certain activities are prohibited or encouraged? Does it encourage users to be security conscious? Does it include sanction policy? Does it clearly explain the employee expectation of privacy? Can you tell when it was last updated? Are there any statements that are out of date?
3. Go back to Chapter 2, “Policy Elements and Style,” and review the sections on using “plain language.” Edit the agreement so that it conforms with plain language guidelines.
Project 6.3: Evaluating Regulatory Training
1. Go online and locate an example of HIPAA security awareness training and GLBA security awareness training. (Note: You can use the actual training or an outline of topics.)
2. Document the similarities and differences.
References
“Employee Life Cycle,” Search Financial Applications, accessed on 06/17/13, http://searchfinancialapplications.techtarget.com/definition/employee-life-cycle.
“Obtaining Security Clearance,” Monster.com, accessed on 06/17/13, http://govcentral.monster.com/security-clearance-jobs/articles/413-how-to-obtain-a-security-clearance.
Regulations Cited
“26 U.S.C. 6103: Confidentiality and disclosure of returns and return information,” accessed on 06/17/13, www.gpo.gov/fdsys/granule/USCODE-2011-title26/USCODE-2011-title26-subtitleF-chap61-subchapB-sec6103/content-detail.html.
“Americans with Disabilities Act (ADA),” official website of the United States Department of Justice, Civil Rights Division, accessed on 06/17/13, www.ada.gov/2010_regs.htm.
“Drivers Privacy Protection Act: DPPA,” accessed on 06/17/13, http://uscode.house.gov/download/pls/18C123.txt.
“Fair Credit Reporting Act (FCRA). 15 U.S.C. 1681,” accessed on 06/17/13, www.ftc.gov/os/statutes/031224fcra.pdf.
“Family Educational Rights and Privacy Act (FERPA),” official website of the U.S. Department of Education, accessed on 05/10/2013, www.ed.gov/policy/gen/guid/fpco/ferpa/index.html.
“Immigration Reform and Control Act of 1986 (IRCA),” official website of the U.S. Department of Homeland Security, U.S. Citizenship and Immigration Services, accessed on 06/17/13, www.uscis.gov/.
“Public Law 108–159: Dec. 4, 2003 Fair and Accurate Credit Transactions Act of 2003,” accessed on 06/17/13, www.gpo.gov/fdsys/pkg/PLAW-108publ159/.../PLAW-108publ159.pdf.
“Public Law No. 91-508: The Fair Credit Reporting Act,” accessed on 06/17/13, www.ftc.gov/os/statutes/031224fcra.pdf.
“Sarbanes-Oxley Act—SoX,” accessed on 06/17/13, http://uscode.house.gov/download/pls/15C98.txt www.sec.gov/about/laws/soa2002.pdf.
U.S. Department of Homeland Security and U.S. Citizenship and Immigration Services, Instructions for Employment Eligibility Verification.
U.S. Department of the Treasury and Internal Revenue Service, 2013 General Instructions for Forms W-2 and W-3.
Other Research
Beesley, Caron. “Conducting Employee Background Checks—Why Do It and What the Law Allows,” SBA, accessed on 06/17/13, http://www.sba.gov/community/blogs/community-blogs/business-law-advisor/conducting-employee-background-checks-%E2%80%93-why-do.
“Houston Computer Administrator Sentenced to Two Years in Prison for Hacking Former Employer’s Computer Network,” Department of Justice, Office of Public Affairs, Press Release, July 15, 2009, accessed on 06/17/13, www.justice.gov/opa/pr/2009/July/09-crm-684.html.
“Jobs at Risk = Data at Risk,” Ponemon Institute, accessed on 06/17/13, www.ponemon.org/data-security.
Messmer, Ellen. “More Than Half of Fired Employees Steal Data,” CIO Magazine, accessed on 06/17/13, www.cio.com/article/481883/More_Than_Half_of_Fired_Employees_Steal_Data.
“Rules for Conducting Employee Background Checks,” Jaburg-Wilk, accessed on 06/17/13, www.jaburgwilk.com/articles/employee-background-checks.aspx.
“Running Background Checks,” NOLO, accessed on 06/17/13, www.nolo.com/legal-encyclopedia/running-background-checks-job-applicants-29623.html.
Smith, Diane and Jacob Burg. “What Are the Limits of Employee Privacy?” American Bar Association, GP Solo, Volume 29, No. 6, accessed on 06/17/13, www.americanbar.org/publications/gp_solo/2012/november_december2012privacyandconfidentiality/what_are_limits_employee_privacy.html
“The General Electric (GE) Candidate Data Protection Standards,” accessed on 06/17/13, www.ge.com/careers/privacy.