Post on 23-Feb-2016
description
Chapter 6: Personnel Security
2
Objectives
Describe the role of security in personnel practices
Develop secure recruiting & interviewing procedures
Evaluate confidentiality & employee security agreements
Understand appropriate security education, training & awareness programs
Design an incident reporting program Create personnel-related security policies and
procedures
3
Introduction
Personnel-related policies are mostly the responsibility of the Human Relations (HR) department
Aspects of personnel security may involve the training department, legal counsel and employee unions or associations
Employees are simultaneously the organization’s most valuable assets and its most dangerous risks
Employees must receive information security training
4
First Contact
Risks and rewards of posting online employment ads: A company can reach a wider audience A company can publish an ad that gives too much
information: About the network infrastructure and therefore allow a
hacker to footprint the internal network easily and stealthily About the company itself, inviting social engineering
attacks
5
Job Descriptions
Job descriptions are supposed to: Convey the mission of the organization Describe the position in general terms Outline the responsibilities attached to said
position Outline the company’s commitment to security via
the use of such terms as non-disclosure agreement
6
Job Descriptions Cont.
Job descriptions are NOT supposed to: Include information about the internal network,
such as types of servers deployed, types of routers deployed, and any other information that would allow a hacker to map the infrastructure of the internal network It’s harder to hack a network if one doesn’t know the
types of hardware & software If the above information is deemed necessary,
make the ad be anonymous
7
The Interview
Job Interview: The interviewer should be concerned about
revealing too much about the company during the interview
Job candidates should never gain access to secured areas
A job interview is a perfect foot-printing opportunity for hackers and social engineers
8
Who Is This Person?
An organization should protect itself by running extensive background checks on potential employees at all levels of the hierarchy
Some higher level positions may require even more in-depth checks
In the military, information and users have a clearance level Note that clearance level is not all they need: they also
need a demonstrated need to know to access data
9
Types of Background Checks
The company should have a basic background check level to which all employees are subjected
Information owners may require more in-depth checks for specific roles
Workers also have a right to privacy: not all information is fair game to gather – only information relevant to the actual work they perform
Companies should seek consent from employees before launching a background check
10
Types of Background Checks Cont.
Educational records fall under FERPA. Schools must first have written authorization before they can provide student-related information
Motor vehicle records fall under DPPA, which means that the DMV – or its employees – are not allowed to disclose information obtained by the department
The FTC allows the use of credit reports prior to hiring employees as long as companies do so in accordance with the Fair Credit Reporting Act
11
Types of Background Checks Cont.
Bankruptcies may not be used as the SOLE reason to not hire someone according to Title 11 of the US Bankruptcy Code
Criminal history: the use of this sort of information varies from state to state
Worker’s compensation records: in most states, these records are public records, but their use may not violate the Americans with Disabilities Act
12
The Importance of Employee Agreements
Confidentiality agreements Agreement between employees and organization Defines what information may not be disclosed by
employees Goal: to protect sensitive information Especially important in these situations:
When an employee is terminated or leaves When a third-party contractor was employed
13
The Importance of Employee Agreements Cont. Affirmation Agreements
Focuses on why acceptable use policies were created and the importance of compliance
It is a teaching tool that serves as a guideline when an employee is faced with a situation not explicitly covered in the policy
14
The Importance of Employee Agreements Cont. Affirmation Agreements
Should include the following topics: Acceptable use of information resources Internet use E-mail use Incidental use of information resources Password management Portable computers
15
The Importance of Employee Agreements Cont. Affirmation Agreements
Agreement should end with a commitment paragraph acknowledging that: The user has read the agreement The user understands the agreement The user understands the consequences of violating the
agreement The user agrees to act in accordance with the policies
set forth
16
The Importance of Employee Agreements Cont. Affirmation Agreements
The agreement should be dated and signed by the employee.
The signing of the agreement should be witnessed
An appendix of definitions should be provided to the user
17
Training Important?
Training employees According to NIST: “Federal agencies […] cannot
protect […] information […] without ensuring that all people involved […]: Understand their role and responsibilities related to the
organization’s mission Understand the organization’s IT security policy,
procedures and practices Have at least adequate knowledge of the various
management, operational and technical controls required and available to protect the IT resources for which they are responsible”
18
Training Important? Cont.
Hackers adapt: if it is easier to use social engineering – i.e. targeting users – rather than hack a network device, that is the road hackers will take
Only securing network devices and neglecting to train users on information security topics is ignoring half of the threats against the company
19
SETA for All
What is SETA? Security Education Training and Awareness Awareness is not training: it is focusing the
attention of employees on security topics in order to change their behavior
Security awareness campaigns should be scheduled regularly
Security training “seeks to teach skills” (per NIST) Security training should NOT be only dispensed to
the technical staff but to all employees
20
SETA for All Cont.
What is SETA? Education: a common body of knowledge should
be developed for all employees Specific bodies of knowledge should be
developed for specific roles in the company SETA funding should be codified in the security
policy so that it is not slashed at the first opportunity
GLBA and HIPAA both include security training requirements as part of compliance
21
Security Incident Reporting Is Everyone’s Responsibility
It is the responsibility of ALL employees to report security incidents
Anytime data confidentiality, integrity and/or availability is threatened, a security incident report should be filed
Users must be vigilant and trained to recognize and report security incidents
Reporting security incidents must become a part of the corporate culture
22
Security Incident Reporting Is Everyone’s Responsibility Cont.
A security incident reporting program should feature the following three ingredients: Training users to recognize suspicious incidents Implementing an easy incident reporting system Staff involved in the investigation of the incident should
report back to the employees who reported it to show that the report was not dismissed and encourage future reports
23
Testing the Procedures
The security incident reporting program should be tested to make sure that it works and that it provides investigators with the information they need
Testing should not occur without knowledge and approval from senior management
Testing should NOT be advertised to employees to get accurate results
24
Testing the Procedures Cont.
Testing the security incident reporting system should focus on the two following topics: How did the employees respond to the incident?
Did they apply techniques and procedures learned during training?
Did the employees report the incident? Results should be documented and analyzed. If
necessary, training material should be edited for clarity or new procedures
25
Summary
A security policy that does not include personnel as a permanent threat to the data owned by the company is incomplete. Social engineering is more virulent than ever.
Failing to train users on security topics is a bad mistake, and may result in a lack of compliance for some federal mandates.
Regular awareness campaigns should be conducted. An incident reporting system should be created and tested.