- Dec 20, 2002
- Defining Security Principles
- Security Management Planning
- Risk Management and Analysis
- Policies, Standards, Guidelines, and Procedures
- Examining Roles and Responsibility
- Management Responsibility
- Understanding Protection Mechanisms
- Classifying Data
- Employment Policies and Practices
- Managing Change Control
- Security Awareness Training
Employment Policies and Practices
Determine how employment policies and practices are used to enhance information security in your organization.
Although the first concern of management might be employees and employment policies, these seem to be the last concerns of information security management. Although various research groups say that most of the threats to information assets are from internal users, employment policies can be used to protect information security assets by setting guidelines for the following:
Background checks and security clearances
Employment agreements and hiring and termination practices
Setting and monitoring of job descriptions
Enforcement of job rotation
Background Checks and Security Clearances
Those who work for the federal government, whether as an employee or a contractor, know the rigors that go into background checks and security clearances. If you work for an agency or the military where a national security clearance is required, you probably had to fill out an extensive questionnaire that could have been verified through interviews and polygraphs. Despite some high-profile cases of personnel security lapses, the federal government does try to check everyone with access to sensitive information.
Many nongovernment organizations do not need the same type of background checks as the federal government does. However, having some type of background check should be part of the application process. Minimally, the organization should verify previous employment and other basic information provided as part of the application. For those in more sensitive positions, such as administrators and information security professionals, a further check into someone's background might be a consideration. As long as the checks are disclosed, an organization can request access to credit and criminal records to verify the applicant's suitability for her position. Organizations can even hire an outside firm that performs these checks as well as those that examine other public records to determine whether the potential for a problem or a conflict of interest exists.
Regardless of the checks your organization performs, the policies and guidelines must be disclosed to the applicant and employee. Although the government has policies for recertification security clearances, if your organization wants to do the same, that has to be disclosed to the employee. Many aspects of this are covered by federal, state, and local statues and civil rights laws and should be cleared with an attorney before implementing.
Employment Agreements, Hiring, and Termination
In nearly every job I have had, there has been at least one employment agreement that says I will not violate policies and will maintain the integrity of the information for which I am being trusted. Other policies have included nondisclosure and intellectual property agreements. Whatever makes sense for your organization, these agreements should be presented to the new employee when he first arrives for work.
Employment agreements are used to protect the organization from something the employee can do. It is a protection from the insider threat. Agreements can also provide the organization a means by which to discipline employees if an enforcement action is necessary. By having the employee sign the agreements, the organization has the ability to enforce the policies behind them by showing that the employee was notified of what was expected from him.
The Acceptable Usage Policy
The acceptable usage policy (AUP) is a document that summarizes the overall information security policy for the users. The AUP can contain parts of the organization's policies outlining the user's security responsibilities. Most of the time, they are highlighted components and written in plain language. A successful AUP is short and to the point. Ideally, the AUP should be only a few pages long.
Usually, the AUP is a signed document that acts as an agreement to abide by the information security policies it represents. It can be given to the new employee, contractor, or vendor with access to the network to ensure he knows his responsibilities. The purpose is to draw attention to the policy documents without requiring the new user to read them. The AUP should say that the users will abide by the policies, but the AUP can be seen as a "quick start" document to allow users to read the full policy later.
There will come a time when an employee or a contractor is no longer associated with the organization. Regardless of whether the termination is from voluntary or involuntary means, administrators must have procedures in place to revoke access to the organization's resources. Keeping a user's identification active might leave the network open for attack, and just deleting the user's information can destroy potential information assets.
Regardless of the procedures used, they should consider immediate revocation of access to the networks. Additionally, personnel policies should be adjusted to ensure employees do not have the type of access to the systems, network, and physical facilities to do damage. Even for contractors whose contracts have expired or been terminated, it might be a good idea to have a manager or security guard escort the former employee out of the building. During the process, someone should collect the employee's identification badges, keys, and other access control devices; disconnect his phone; turn off his email; lock his intranet account; and so on.
As part of the procedures, everyone must work together. If those responsible for terminating network access are not told that an employee was terminated, the network can be left open to attack by a disgruntled former employee. An improperly executed procedure makes everyone responsible for an adverse reaction.
Job descriptions are usually associated with requisitions and advertisements used to fill jobs within the organization. In the information security context, job descriptions define the roles and responsibilities for each employee. Within those roles and responsibilities, procedures are used to set the various access controls to ensure that the user can get access only to the resources he is allowed to access.
During periodic audits and monitoring, a user who might be accessing information beyond his job description might be an indication of a problem. For example, a contractor working on the development of the new Web system should not be able to access accounting data. The danger to this is when the job descriptions are not properly maintained. If a job description is informally changed without changing the official job description, there can be problems trying to enforce policies. It would help if there were a policy to change job descriptions before changing access control lists.
Job rotation is the concept of not having one person in one position for a long period of time. The purpose is to prevent a single individual from having too much control. Allowing someone to have total control over certain assets can result in the misuse of information, the possible modification of data, and fraud. By enforcing job rotation, one person might not have the time to build the control that could place information assets at risk.
Another part of job rotation should be to require those working in sensitive areas to take their vacations. By having some of the employees leave the work place, others can step in and provide another measure of oversight. Some companies, such as financial organizations, require their employees to take their vacations during the calendar or fiscal year.