Chapter 6: Personnel Security

2 Objectives  Describe the role of security in personnel practices  Develop secure recruiting & interviewing procedures  Evaluate confidentiality & employee security agreements  Understand appropriate security education, training & awareness programs  Design an incident reporting program  Create personnel-related security policies and procedures

3 Introduction Personnel-related policies are mostly the responsibility of the Human Relations (HR) department Aspects of personnel security may involve the training department, legal counsel and employee unions or associations Employees are simultaneously the organization’s most valuable assets and its most dangerous risks Employees must receive information security training

4 First Contact  Risks and rewards of posting online employment ads: A company can reach a wider audience A company can publish an ad that gives too much information:  About the network infrastructure and therefore allow a hacker to footprint the internal network easily and stealthily  About the company itself, inviting social engineering attacks

5 Job Descriptions Job descriptions are supposed to:  Convey the mission of the organization  Describe the position in general terms  Outline the responsibilities attached to said position  Outline the company’s commitment to security via the use of such terms as non-disclosure agreement

6 Job Descriptions Cont. Job descriptions are NOT supposed to:  Include information about the internal network, such as types of servers deployed, types of routers deployed, and any other information that would allow a hacker to map the infrastructure of the internal network It’s harder to hack a network if one doesn’t know the types of hardware & software  If the above information is deemed necessary, make the ad be anonymous

7 The Interview Job Interview:  The interviewer should be concerned about revealing too much about the company during the interview  Job candidates should never gain access to secured areas  A job interview is a perfect foot-printing opportunity for hackers and social engineers

8 Who Is This Person?  An organization should protect itself by running extensive background checks on potential employees at all levels of the hierarchy  Some higher level positions may require even more in-depth checks  In the military, information and users have a clearance level Note that clearance level is not all they need: they also need a demonstrated need to know to access data

9 Types of Background Checks  The company should have a basic background check level to which all employees are subjected  Information owners may require more in-depth checks for specific roles  Workers also have a right to privacy: not all information is fair game to gather – only information relevant to the actual work they perform  Companies should seek consent from employees before launching a background check

10 Types of Background Checks Cont.  Educational records fall under FERPA. Schools must first have written authorization before they can provide student-related information  Motor vehicle records fall under DPPA, which means that the DMV – or its employees – are not allowed to disclose information obtained by the department  The FTC allows the use of credit reports prior to hiring employees as long as companies do so in accordance with the Fair Credit Reporting Act

11 Types of Background Checks Cont.  Bankruptcies may not be used as the SOLE reason to not hire someone according to Title 11 of the US Bankruptcy Code  Criminal history: the use of this sort of information varies from state to state  Worker’s compensation records: in most states, these records are public records, but their use may not violate the Americans with Disabilities Act

12 The Importance of Employee Agreements  Confidentiality agreements Agreement between employees and organization Defines what information may not be disclosed by employees Goal: to protect sensitive information Especially important in these situations:  When an employee is terminated or leaves  When a third-party contractor was employed

13 The Importance of Employee Agreements Cont. Affirmation Agreements  Focuses on why acceptable use policies were created and the importance of compliance  It is a teaching tool that serves as a guideline when an employee is faced with a situation not explicitly covered in the policy

14 The Importance of Employee Agreements Cont. Affirmation Agreements  Should include the following topics: Acceptable use of information resources Internet use use Incidental use of information resources Password management Portable computers

15 The Importance of Employee Agreements Cont. Affirmation Agreements  Agreement should end with a commitment paragraph acknowledging that: The user has read the agreement The user understands the agreement The user understands the consequences of violating the agreement The user agrees to act in accordance with the policies set forth

16 The Importance of Employee Agreements Cont. Affirmation Agreements  The agreement should be dated and signed by the employee.  The signing of the agreement should be witnessed  An appendix of definitions should be provided to the user

17 Training Important? Training employees  According to NIST: “Federal agencies […] cannot protect […] information […] without ensuring that all people involved […]: Understand their role and responsibilities related to the organization’s mission Understand the organization’s IT security policy, procedures and practices Have at least adequate knowledge of the various management, operational and technical controls required and available to protect the IT resources for which they are responsible”

18 Training Important? Cont. Hackers adapt: if it is easier to use social engineering – i.e. targeting users – rather than hack a network device, that is the road hackers will take Only securing network devices and neglecting to train users on information security topics is ignoring half of the threats against the company

19 SETA for All What is SETA?  Security Education Training and Awareness  Awareness is not training: it is focusing the attention of employees on security topics in order to change their behavior  Security awareness campaigns should be scheduled regularly  Security training “seeks to teach skills” (per NIST)  Security training should NOT be only dispensed to the technical staff but to all employees

20 SETA for All Cont. What is SETA?  Education: a common body of knowledge should be developed for all employees  Specific bodies of knowledge should be developed for specific roles in the company  SETA funding should be codified in the security policy so that it is not slashed at the first opportunity  GLBA and HIPAA both include security training requirements as part of compliance

21 Security Incident Reporting Is Everyone’s Responsibility  It is the responsibility of ALL employees to report security incidents  Anytime data confidentiality, integrity and/or availability is threatened, a security incident report should be filed  Users must be vigilant and trained to recognize and report security incidents  Reporting security incidents must become a part of the corporate culture

22 Security Incident Reporting Is Everyone’s Responsibility Cont.  A security incident reporting program should feature the following three ingredients: Training users to recognize suspicious incidents Implementing an easy incident reporting system Staff involved in the investigation of the incident should report back to the employees who reported it to show that the report was not dismissed and encourage future reports

23 Testing the Procedures  The security incident reporting program should be tested to make sure that it works and that it provides investigators with the information they need  Testing should not occur without knowledge and approval from senior management  Testing should NOT be advertised to employees to get accurate results

24 Testing the Procedures Cont.  Testing the security incident reporting system should focus on the two following topics: How did the employees respond to the incident?  Did they apply techniques and procedures learned during training? Did the employees report the incident?  Results should be documented and analyzed. If necessary, training material should be edited for clarity or new procedures

25 Summary  A security policy that does not include personnel as a permanent threat to the data owned by the company is incomplete. Social engineering is more virulent than ever.  Failing to train users on security topics is a bad mistake, and may result in a lack of compliance for some federal mandates.  Regular awareness campaigns should be conducted. An incident reporting system should be created and tested.