Personnel Security Policies and Practices
CISSP candidates must have a basic understanding of various employment policies and practices, as well as how these policies achieve information security objectives. You should also know the various information security roles and responsibilities within an organization.
Background checks and security clearances
Pre- and post-employment background checks can provide an employer with valuable information about an individual whom an organization is considering for a job or position within an organization. Such checks can give an immediate indication of an individual’s integrity and can help screen out unqualified applicants.
Basic background checks should be conducted for all personnel with access to sensitive information or systems within an organization. A basic background check should include
Reference checks: Personal, professional, and employment
Verification of data in employment applications and resumes: Social Security numbers, education, professional/technical certifications, military records, and previous employment
Other records: Court, local law enforcement, and motor vehicle records
Personnel who fill sensitive positions should undergo a more extensive pre-employment screening and background check, possibly including
Credit records
Drug testing
Special background investigation: FBI and INTERPOL records, field interviews with former associates, or a personal interview with a private investigator
Periodic post-employment screenings (such as credit records and drug testing) may also be necessary, particularly for personnel with access to financial data, cash, or high-value assets, or for personnel being considered for promotions to more sensitive or responsible positions.
Employment agreements
Various employment agreements should be signed when an individual joins an organization or is promoted to a more sensitive position within an organization. Typical employment agreements include non-compete/non-disclosure agreements and acceptable use policies.
Hiring and termination practices
Hiring and termination practices should be formalized within an organization to ensure fair and uniform treatment and to protect the organization and its information assets.
Standard hiring practices should include background checks and employment agreements (as we discuss in the preceding sections), as well as a formal indoctrination and orientation process. This process may include formal introductions to key organizational personnel, creating user accounts and assigning IT resources (PCs and notebook computers, for example), assigning security badges and parking permits, and a general policy discussion with Human Resources personnel.
Formal termination procedures should be implemented to help protect the organization from potential lawsuits, property theft and destruction, unauthorized access, or workplace violence. Procedures should be developed for various scenarios including resignations, termination, layoffs, accident or death, immediate departures versus prior notification, and hostile situations. Termination procedures may include
Having the former employee surrender keys, security badges, and parking permits
Conducting an exit interview
Making security escort the former employee to collect his or her personal belongings and/or to leave the premises
Asking the former employee to return company materials (notebook computers, mobile phones and devices, PDAs, and so on)
Changing door locks and system passwords
Formally turning over duties and responsibilities
Removing network and system access and disabling user accounts
Enforcing policies regarding retention of e-mail, personal files, and employment records
Notifying customers, partners, vendors, and contractors, as appropriate
Job descriptions
Concise job descriptions that clearly identify an individual’s responsibility and authority, particularly on information security issues, can help
Reduce confusion and ambiguity.
Provide legal basis for an individual’s authority or actions.
Demonstrate any negligence or dereliction in carrying out assigned duties.
Security roles and responsibilities
The truism that information security is “everyone’s responsibility” is too often put into practice as Everyone is responsible, but no one is accountable. To avoid this pitfall, specific roles and responsibilities for information security should be defined in an organization’s security policy, individual job or position descriptions, and third-party contracts. These roles and responsibilities should apply to employees, consultants, contractors, interns, and vendors. And they should apply to every level of staff, from C-level executives to line employees. Several broad categories for information security roles and common responsibilities are discussed in the following sections.
Management
Senior-level management is often responsible for information security at several levels, including the role as an information owner, which we discuss in the following section. However, in this context, management has a responsibility to demonstrate a strong commitment to an organization’s information security program through the following actions:
Creating a corporate information security policy: This policy should include a statement of support from management and should also be signed by the CEO, COO, or CIO.
Leading by example: A CEO who refuses to carry a mandatory identification badge or who bypasses system access controls sets a poor example.
Rewarding compliance: Management should expect proper security behavior and acknowledge, recognize, and/or reward employees accordingly.
Owner
An information owner is normally assigned at an executive or senior- management level within an organization, such as director or vice-president. An information owner doesn’t legally own the information assigned to him or her; the information owner is ultimately responsible for safeguarding assigned information assets and may have fiduciary responsibility or be held personally liable for negligence in protecting these assets under the concept of due care.
Typical responsibilities of an information owner may include
Determining information classification levels for assigned information assets
Determining policy for access to the information
Maintaining inventories and accounting for assigned information assets
Periodically reviewing classification levels of assigned information assets for possible downgrading, destruction, or disposal
Delegating day-to-day responsibility (but not accountability) and functions to a custodian
Custodian
An information custodian is the individual who has day-to-day responsibility for protecting information assets. IT systems administrators or network administrators often fill this role. Typical responsibilities may include
Performing regular backups and restoring data, when necessary
Ensuring that directory and file permissions are properly implemented and provide sufficient protection
Assigning new users to appropriate permission groups and revoking user privileges, when required
Maintaining classified documents or other materials in a vault or secure file room
Users
An end-user (or user) includes just about everyone within an organization. Users aren’t specifically designated. They can be broadly defined as anyone who has authorized access to an organization’s internal information or information systems. Typical user responsibilities include
Complying with all security requirements defined in organizational policies, standards, and procedures; applicable legislative or regulatory requirements; and contractual requirements (such as non-disclosure agreements and Service Level Agreements).
Exercising due care in safeguarding organizational information and information assets.
Participating in information security training and awareness efforts.
Reporting any suspicious activity, security violations, security problems, or security concerns to appropriate personnel.
Separation of duties and responsibilities
The concept of separation (or segregation) of duties and responsibilities ensures that no single individual has complete authority and control over a critical system or process. This practice promotes security in the following ways:
Reduces opportunity for waste, fraud, or abuse.
Provides two-man control (also called dual-control or two-person integrity).
Reduces dependence on individuals (see the section “Avoiding single points of failure,” earlier in this chapter).
Smaller organizations may find this practice difficult to implement because of limited personnel and resources.
Job rotation
Job rotation (or rotation of duties) provides another effective security control with many benefits to an organization. Similar to the concept of separation of duties and responsibilities (discussed in the preceding section), job rotations involve regularly transferring key personnel into different positions or departments within an organization. Job rotations benefit an organization in the following ways:
Reduce opportunity for waste, fraud, or abuse.
Reduce dependence, through cross-training opportunities, on individuals, as well as promote professional growth.
Reduce monotony and/or fatigue for individuals.
As with the practice of separation of duties, job rotations can be difficult to implement in smaller organizations.