CISSP Personnel Security Policies and Procedures – Bk2D1T7

Personal Security Policies and Procedures

The area of personnel security involves efforts to ensure that personnel within the organization are dependable and trustworthy. Personnel that can be subverted or influenced to contravene policy and law and bring harm to the organization are called “insider threats.” The purpose of personnel security is to minimize the risk and damage potential of insider threats.

Module Objectives
  1. Identify the various means to support personnel security goals, including common policies and procedures.

Candidate Screening and Hiring

Like many risks, the insider threat can often best be addressed before malicious activity can occur. For personnel security, this is done before they are hired and given access to the organization’s IT environment and data. There are several measures and tools that can be implemented to accomplish this. They include the following:

  • Crafting detailed and reliable job descriptions. The job description is an outline of desired and expected performance on the part of the employee; it will be used to determine if the employee is performing adequately, successfully, and in accordance with the organization’s governance. The job description is also the mechanism that will be used to demonstrate whether the employee violated, in some manner, the expectations and performance set out in the description. Therefore, it is important for the job description to have clear, precise annotation of these elements; if, for instance, the employee is terminated for acting (or not acting) in a certain way, the employee might engage in litigation to recover damages by claiming that the organization did not make the transgressive behavior known to the employee before the termination—the job description is one tool to support the organization’s allegation that the employee acted improperly. Creation of the job description should be the task of the hiring manager (who understands best the needs of the position) and the Human Resources department (which understands best the applicable laws and procedures for creating job descriptions that protect all parties involved).
  • Checking candidate references. Another way the organization can obviate the risk of hiring a person not suitable for the position is to determine the candidate’s past performance. However, in most modern business settings, this may not lead to any particularly useful information;  many organizations will not report on the performance of former employees and will only offer simplified information about the former employee’s eligibility for rehire. Also, references are often given by the candidate themselves, so are not wholly independent sources.
  • Employment history: A review of previous employment can assess the candidate’s progression of responsibility, appropriate experience, and gaps in employment.
  • Background check: The candidate can be screened against trusted databases for suitability, such as verification of certification/credentials, educational degrees, and criminal history.
  • Financial profile: Positions of accentuated trust and responsibility may also merit the organization’s review of a candidate’s financial situation. This can reveal concerns about a candidate’s trustworthiness: if the candidate has too little money, it might indicate personal problems such as an addictive behavior, gross poor judgment, or personal instability, all of which make the candidate susceptible to subversion should they get a position of responsibility; too much money may indicate that the candidate is already participating in illicit activity, or has been paid by another entity already, or will not be responsive to the organization’s A financial check usually requires the candidate’s explicit written agreement and may be limited by law in some jurisdictions.

Related Product : Personal Data Protection & General Data Protection Regulation Training & Certification

Employment Agreements and Policies

Once the organization has decided which candidate should fill a position, additional tools are available to enhance or support the trustworthiness and security of employees and staff.

  • Employee handbook: The is the written set of policies and standards all personnel security within the organization are required to It may contain proprietary information and remains the property of the organization, but employees will need access to it and should confirm receipt and understanding of the instructions it contains. This document should be constructed with input from senior management, legal counsel, and human resources subject matter experts.
  • Employment contract: Every employee should enter the organization under a contractual agreement; each employment contract should explicitly codify the terms of employment, including payment and the performance expectations. The contract should also be created with input from the legal department.
  • Nondisclosure agreement (NDA): The employee should sign a formal agreement not to make any unauthorized disclosure of any of the organization’s proprietary/sensitive information, both during and after the term of employment.

Onboarding and Termination Processes

The organization should have defined processes for granting access to personnel joining the organization, and those departing.

Onboarding should include a review of the contract terms and job description, formal initial training to familiarize the new employee  with the organization’s security policies and procedures, the signing of a nondisclosure agreement so that the employee declares understanding of the organization’s ownership of its proprietary systems and data, and a secure process for issuing the employee any access information or tools necessary (such as user id/password, keys, tokens, etc.).

Termination (whether the employee is leaving voluntarily or at the behest of the organization) should be similarly codified. The organization should lock the employee’s IT accounts so as to prohibit the employee from making any last-minute modifications to the system or data. The organization will also need to recover any of its property from the employee, including devices, hardware, and access control items such as identity/access badge, keys, and tokens. There should be an exit interview to determine why the employee is leaving (if the departure is amiable), a review of the terms of any nondisclosure agreement, and the employee should be escorted from the premises.

Vendor, Consultant, and Contractor Agreements and Controls

Employees and staff are not the only personnel who might have access to the organization’s IT environment. Vendors, consultants, and contractors from outside the organization might also have access. It is important for the organization to create procedures and processes that properly constrain and distinguish access by nonemployees.

Some tools the organization may consider for these purposes:
  • Additional contractual protections: The organization should protect itself from harm done by external parties that the organization has granted (even limited) access to; the contract between parties can stipulate the form of protection necessary for accomplishing this (often monetary). This protection can take the form of cash payments for failing to agree to terms, requirements for the external party to maintain the appropriate insurance policies (in professional services, this is often addressed by errors and omissions policies), or an express transfer of liability (where allowed by law).
  • Distinct accounts: External parties might be granted differentiated accounts from other users; these accounts might provide limited access or convey additional audit trail information.
  • Escort requirements: External parties might require constant monitoring, either via surveillance or continually in the presence of an employee of the orgnization.
  • Distinguishing identification: Identity/access badges for non-employee personnel might be jarringly different than employee badges, such as having a distinctly different color or shape.

As with internal personnel, external personnel should be required to sign nondisclosure agreements to concede and recognize the organization’s ownership of its own proprietary assets.

Compliance Policy Requirements

Organizations should also utilize acceptable use policies (AUPs) for all personnel. The AUP should detail, from the user’s expected perspective, the appropriate and approved usage of the organization’s assets, including the IT environment, devices, and data. Each employee (or anyone having access to the organization’s assets) should be required to sign an AUP, preferably in the presence of an employee of the organization, and both parties should keep a copy of the AUP for their records.

Policy aspects commonly included in AUPs:
  • Data access
  • System access
  • Data disclosure
  • Passwords
  • Data retention
  • Internet usage

It is also possible to determine and enforce personnel compliance with   the organization’s security policy by conducting surveillance of their activity. If the organization uses this option, it is extremely important that surveillance programs and functions are conducted in strict accordance with applicable laws; many countries have severe legal restrictions on how and when organizations can observe the activity of their personnel.

Privacy Policy Requirements

When personnel have access to PII, it is imperative that the organization documents that the personnel understand and acknowledge the organization’s policies and procedures for handling of that type of material. This type of documentation is similar to the AUP but is specific to privacy data.

The organization’s privacy policy should stipulate which information is considered PII, the appropriate handling procedures and mechanisms used by the organization, how the user is expected to perform in accordance with the stated policy and procedures, any enforcement mechanisms and punitive measures for failure to comply, and references to applicable regulations to which the organization is subject (this can include national laws for certain jurisdictions, such as the GDPR and PIPEDA, laws for specific industries in certain countries such as HIPAA and GLBA, or local laws set by the state/municipality in which the organization operates).

The organization should also have a document that is a version of the privacy policy as it affects customers and other external parties. For instance, a medical provider should be able to present patients with  a description of how the provider will protect their information (or a reference to where they can find this description, such as the provider’s website).

Follow Us
https://www.facebook.com/INF0SAVVY
https://www.linkedin.com/company/14639279/admin/