1.9 Contribute to and enforce personnel security policies and procedures
- Candidate screening and hiring
- Employment agreements and policies
- Onboarding, transfers, and termination processes
- Vendor, consultant, and contractor agreements and controls
- Compliance policy requirements
We need to understand that while it is easy to predict how a computer will function, we cannot predict how a human will behave.
When we hire somebody, we should create a job description which says what the tasks the employee is responsible for performing. We should also include in the job description the types of resources that the employee will be allowed to access.
We might create a set of roles and assign each employee to one or more roles. The role that the employee is assigned to determines their access level.
Separation of Duties is an idea that we require multiple employees to perform a task. That way, a single employee cannot bypass security controls. For example, a user who approves an invoice can’t also be the user who issued the purchase order.
Collusion is when two or more employees conspire to bypass the controls. Collusion is less likely because a single employee will need to recruit others, and risk exposing himself.
A Job Responsibility is a list of tasks that an employee performs. We use these responsibilities to determine the resources that the employee can access. The employee should only be granted access to the resources that he requires. This is known as the principle of least privilege.
We can also perform Job Rotation. An employee is not permitted to remain at a specific role for an extended period. Each employee must rotate at a different time. This allows the organization to investigate and detect potential security breaches. An employee who stays at the same role for an extended period has an opportunity to abuse his position without being detected. If a new employee fills his role, he will detect the breach. Job Rotation has the added benefit of allowing multiple employees to train in each role, so that they can be replaced if one is sick or quits.
We can also enforce this through mandatory vacations. We should force each employee to take a vacation of at least two weeks. This gives other employees the chance to review his work and detect fraud or other crimes. An employee can’t cover his tracks well if he is away.
When an employee rotates jobs, we should check his privileges and assign new ones commensurate with his duties. We should also take away privileges that he no longer requires. We should review the privileges of each employee regularly to ensure that they do not have access to resources that they no longer require. This is known as privilege creep.
When we separate duties properly, it becomes difficult for a single employee to commit a crime – a crime will require privilege from multiple employees. That means that the employees must collude to commit a crime. It is less likely that multiple employees will collude.
When hiring a new employee or contractor, we should perform employment screening. Screening costs money and the more important the position, the more thorough the screening. What are some things we look for?
- Background checks/criminal record checks
- Reference checks
- Education credential verification
- License verification
- Identity verification
- Drug testing
- Checking social media for inappropriate content
We should make the employee sign a contract (an employment agreement). The agreement tells the employee
- The job description
- The duration of the employment
- The policies of the organization (we might just reference these policies and include them in a separate document)
- The consequences of violating those policies
- Who owns the intellectual property created during the employment
We should also create a Non-Disclosure Agreement (NDA). The NDA requires the employee to protect the organization’s confidential information. The NDA is usually binding on the employee even after they have left the organization.
A Noncompete Agreement (NCA) prevents an employee from working for a competitor. For example, if Facebook hires an employee, that employee may not be allowed to quit and go to work for Twitter for five years (or two years or ten years or whatever Facebook put in the agreement).
Companies spend a lot of money recruiting and training employees and it may not be fair for those employees to jump to a competitor after a short period. For example, if an employee signs a contract with Facebook for five years and quits to work at Twitter after only one year, that might not be fair to the employer. However, the validity of NCAs has been challenged in court.
When we add a new employee, we call it onboarding. When an employee leaves, we call it offboarding. We must have a detailed onboarding and offboarding policy.
The Onboarding process may include
- Providing employee with credentials
- Issuing the employee an access card or identification card
- Issuing the employee a cell phone and laptop and other property
- Adding the employee to a company directory
- Introducing the employee to other employees
- Provide the employee with necessary training
- Informing the employee about company policies
- Assigning the employee a mentor
We must have a good onboarding policy. We should not just hire an employee and leave him to fend for himself. He won’t be productive and won’t function properly.
The Offboarding process may include
- Disabling user accounts and e-mail addresses
- Disabling access cards
- Collecting company property such as cell phones and laptops
- Informing other employees of the departure/termination, so that they do not provide him with sensitive information
- Pay the employee for the remaining time worked and possible severance
- Terminate benefits if coverage is not available to terminated employees
- Allow the employee to collect his personal belongings (while supervised by an escort or security guard)
When an employee finds out about his termination, he may react in a poor manner. If the termination is voluntary (the employee has retired or found a new job), then the employee might be calm.
If the termination is not voluntary, he may want to fight. If that employee has access to sensitive resources, he might cause damage (like disabling critical systems or deleting sensitive data). This has happened many times.
We should disable the employee’s access to system resources right before informing him about the termination. After termination, the employee should be escorted off the premises. We should collect his property prior to leaving, or we might allow him to collect his own property.
If the employee finds out about his termination prior to being officially informed (and prior to having his access revoked) he may log in to a system and cause damage.
An exit interview is the interview we perform when we terminate an employee. We can’t perform this interview if the employee is belligerent or angry. We use this interview to remind the employee about the Non-Disclosure Agreement and his obligation to protect sensitive information. We may also provide the employee with details about his severance and benefits.
- tag and identify data that is governed by the policy
- protect the data using specific technologies
- determine which employees and vendors have access to the data
- determine the length of time data can be stored
An individual may have the right to stop an organization from collecting data about him. An individual also has the right to review the data that an organization stores if that data relates to him, and to correct the data if it is inaccurate.
These rights are not absolute. For example, your insurance company has the right to collect and maintain data about you even if you move to a new insurance company. Your insurance company has the right to monitor your activities for fraud. Your employer has the right to monitor your activities on their computer system.
In general, a customer has the right to know
- the types of data you are collecting
- how you will use the data
- how long you will keep the data
- how a customer can review his data and correct inaccuracies
- who will have access to the data (including whether you share the data with third parties)
Each country has specific laws that protect personal information. Many states also have additional laws. The laws that you must follow depend on
- the jurisdiction where you are incorporated and/or where your head office is located
- the jurisdiction where you are physically operating in
- the jurisdiction where you store the data
- the jurisdiction where your customer lives
For example, a company incorporated in Delaware, with a head office in New York City, has a customer in Los Angeles and stores his data at a data center in Ohio. That company may be subject to the privacy laws of four different states and the United States federal government.
There are many federal laws in the United States that cover data privacy, as explained in a previous section.