Onboarding and Termination Processes
The processes that bring people into an organization set the tone for their work behavior. Similarly, the termination processes should clarify their obligation to respect the protection of the organization’s intellectual property and security. The security practitioner should be actively engaged with the business to ensure that the proper tone is set for behavior in the workplace.
Onboarding
Setting good expectations for work behavior should start before the employee walks in the door.
Orientation
Part of the employee orientation program should address information security expectations and requirements. Employees should be reminded of their obligations to protect information and current threats to the organization’s information assets, particularly if they are likely to be the targets of malicious actors. Further, orientation practices should inform new employees of the processes for reporting security incidents, their role in maintaining the security of their work area, and the classification and categorization processes so they can identify the level of control necessary for particular information.
Employees should also be made generally aware of the existence of controls that monitor their use of the organization’s assets. Not only does this provide them with assurance that the organization does indeed take action to protect its information, but the information alone may act as a deterrent to inappropriate behavior. The intent is not to provide the employee with sufficient technical detail to defeat the controls, but to make sure they understand that their actions may be scrutinized.
The ability of the organization to monitor employees will depend on the legal jurisdiction, union agreements, and the risks faced by the employer. For example, a recent court case in the European Union found that a private employer may monitor employee activity, provided that the employees had been given sufficient notice. By comparison, practices in Japan and India are generally consistent with this approach. In Japan, the Personal Information Protection Law regulates the collection, storage, and use of employee information, and guidelines published by the various ministries specifically call out the responsibility to notify the employees that they are being monitored. In India, privacy is not a constitutional right, but privacy practices have been legislated into the IT Act of 2000/2008. In short, if monitoring is performed and the capture of information could affect the privacy of the person being monitored, best practice is to ensure that the employee is made aware of and acknowledges in writing that they have been informed of the potential for monitoring.
Related Product : ISO 27001 Lead Auditor Training And Certification ISMS
Tribal Knowledge
Employee orientations set the initial expectations for employees, but the most influential information source for new employees is their supervisor and co-workers. Creating a security-aware culture is essential to ensure that new employees properly protect the organization’s information.
A common example of this is in the healthcare industry, where patient confidentiality requires that only individuals involved in the circle of care should access a patient’s records. In the past, paper records made it difficult to detect unauthorized access. However, with the broad adoption of electronic healthcare records (with attendant capabilities to monitor access), hundreds of employees at dozens of healthcare organizations have, been reported as fired as a result of patient snooping. This suggests that the past practices that made it possible (while still against policy) to allow the workforce to snoop can now be enforced. Organizations have been held in greater liability for having policies that they do not follow than if they had no policy at all. Consequently, it is up to management to perform their diligence ensuring the organizational policies are made available, implemented, and enforced.
Employment
Once an individual is accepted into the workforce, many organizations significantly reduce their evaluation of the employee’s suitability for access to sensitive information. As discussed, life circumstances and organizational expectations change, and formerly acceptable backgrounds may no longer meet the security expectations of the organization.
Periodic Reinvestigation
Holders of U.S. government security clearances are routinely required to resubmit for periodic reevaluation of their suitability. While the length of time between reinvestigations varies depending on the level of the clearance, the process nevertheless provides an opportunity to reassess whether the individual is still worthy of access to sensitive information.
The problem with periodic reinvestigation is that it is periodic—and changes to one’s life can happen within the period. Starting in 2015, the U.S. Department of Defense began moving many positions to a continuous evaluation model. In this approach, various social media forums and networks, as well as big data sources such as music-sharing and dating websites, are examined to determine whether individuals with clearances are potentially engaged in conduct that would affect their clearance. The DoD has already revoked dozens of clearances in advance of what would have been their scheduled periodic reinvestigation.
In the private sector, periodic reinvestigations are often conducted when individuals are involved in cash handling or sensitive transactions in the financial services industry. However, periodic reinvestigation remains the exception rather than the rule for other positions.
Demotion or Reduction
Disgruntled employees often are motivated to take actions against their employers. The U.S. CERT’s Insider Threat Center has identified a number of causes of disgruntlement that have led to malicious insider actions, including the following:
- Insufficient salary increase or bonus
- Limitations on use of company resources
- Diminished authority or responsibilities
- Perception of unfair work requirements
- Feeling of being treated poorly by co-workers
A well-structured insider threat program will have processes in place to coordinate management actions, identify circumstances and individuals who are likely to cause greater risk, and be able to take actions to minimize the risk without violating the individual’s privacy rights.
Termination
Taking appropriate care when people depart organizations or roles is just as important as ensuring they are properly brought into the organization. These transitions can happen for a number of reasons, from changing business priorities, different skill requirements, new career opportunities, or transfers within the organization. These former insiders represent a risk to the organization, and appropriate actions must be taken to ensure they do not compromise the operations, intellectual property, or sensitive information with which they have been entrusted.
voluntary
When an individual leaves an organization on good terms, it is relatively easy to go through the standard checklist: suspending electronic access; recovering their access badges, uniforms, and equipment; accounting for their keys; and changing the key codes on cipher locks that the departing employee used are among many other standard practices. Most organizations have well-structured off-boarding processes to ensure the removal of access when an individual is no longer entitled to organizational information or resources.
When individuals have elevated access, this often becomes more difficult, particularly in smaller organizations that lack effective controls. Access points such as shared passwords, encryption keys, various portals such as dial-in points, or even employee parking passes can be inappropriately used after access should have been terminated. Often, the organization will continue to rely on the departed individual as a consultant or volunteer, and this makes managing access even more difficult. Good organizational controls and processes to manage exceptions are essential in minimizing organizational risk.
The Insider Threat Center also identified a number of circumstances where individuals left to take a job with a competitor on apparently good terms but exfiltrated sensitive organizational information prior to their departure. This is far from unusual. A 2015 survey suggests that almost 87 percent of departing employees take information from their employers that they created during their employment.
The departure of key individuals due to voluntary reasons, death, illness, or other unforeseeable events place many organizations at risk. One estimate is that 55 percent of small businesses would not survive if a key person departed the organization. While key personnel insurance is available, a much smaller percentage (22 percent, in the United States) of organizations take advantage of it.
Involuntary
Involuntary termination of employment is an emotionally charged event for all involved. In virtually all cases, an involuntary termination forces the employer to assume the terminated individual is a threat to the organization, and appropriate action should be taken to protect organizational assets. Termination procedures at most organizations include specific processes to notify the information security organization to disable access to electronic and physical systems. Where possible, recovery of property (uniforms, keys, equipment, etc.) that the employee used should be attempted. Where appropriate, the recovered material should be tracked as evidence and retained for subsequent forensic analysis. Finally, once the individual has left the organization, the staff should be informed that the terminated individual is no longer allowed access and that any attempts by that individual to access resources or property should be reported. Organizational policies will dictate how much information is to be conveyed, but generally minimizing the disclosure of the circumstances to those with a direct need to know is considered best practice.
It is not unusual for the terminated individuals to have taken steps to harm the organization in the event that they were terminated. The most obvious forms of this are the theft of data by the terminated individual, who hopes either to sell back the key to the organization, use the information to begin or join a competing organization, or disclose the information to discredit the organization.
Other malicious strategies include logic bombs placed inside programs and encryption of data, sometimes while retaining the key in hopes of extorting money or retaining some other access to organizational assets. Good data processing practices, including a well-developed insider threat program, availability controls, and managing elevated privilege, are essential in defeating malicious actions by terminated employees.
Follow Us
https://www.facebook.com/INF0SAVVY
https://www.linkedin.com/company/14639279/admin/
