O BJECTIVES

Describe the role of security in personnel practices

Develop secure recruiting & interviewing

procedures

Evaluate confidentiality & employee security

agreements

Understand appropriate security education, training

& awareness programs

Design an incident reporting program

Create personnel-related security policies and

procedures

I NTRODUCTION

Personnel-related policies are mostly the

responsibility of the Human Relations (HR)
department

Aspects of personnel security may involve the

training department, legal counsel and employee
unions or associations

Employees are simultaneously the organizations

most valuable assets and its most dangerous
risks

Employees must receive information security

training

F IRST C ONTACT

Risks and rewards of posting online employment

ads:

A company can reach a wider audience

A company can publish an ad that gives too much

information:

About the network infrastructure and therefore

allow a hacker to footprint the internal network
easily and stealthily

About the company itself, inviting social

engineering attacks

J OB D ESCRIPTIONS

Job descriptions are supposed to:

Convey the mission of the organization

Describe the position in general terms

Outline the responsibilities attached to said

position

Outline the companys commitment to security

via the use of such terms as non-disclosure
agreement

J OB D ESCRIPTIONS C ONT.

Job descriptions are NOT supposed to:

Include information about the internal network,

such as types of servers deployed, types of
routers deployed, and any other information that
would allow a hacker to map the infrastructure of
the internal network

Its harder to hack a network if one doesnt know

what hardware & software

If the above information is deemed necessary,

have the ad be anonymous

T HE I NTERVIEW

Job Interview:

The interviewer should be concerned about

revealing too much about the company during
the interview

Job candidates should never gain access to

secured areas

A job interview is a perfect foot-printing

opportunity for hackers and social engineers

W HO I S T HIS P ERSON ?

An organization should protect itself by running

extensive background checks on potential
employees at all levels of the hierarchy

Some higher level positions may require even

more in-depth checks

In the military, information and users have a

clearance level

Note the clearance level is not all they need: they

also need a demonstrated need to know to access
data

T YPES OF B ACKGROUND C HECKS

The company should have a basic background

check level to which all employees are subjected

Information owners may require more in-depth

checks for specific roles

Workers also have a right to privacy: not all

information is fair game to gather only
information relevant to the actual work they
perform

Companies should seek consent from employees

before launching a background check

T YPES OF B ACKGROUND C HECKS

C ONT.

Educational records fall under FERPA. Schools

must first have written authorization before they
can provide student-related information

Motor vehicle records fall under DPPA, which

means that the DMV or its employees are not
allowed to disclose information obtained by the
department

The FTC allows the use of credit reports prior to

hiring employees as long as companies do so in
accordance with the Fair Credit Reporting Act

10

T YPES OF B ACKGROUND C HECKS

C ONT.

Bankruptcies may not be used as the SOLE reason

to not hire someone according to Title 11 of the
US Bankruptcy Code

Criminal history: the use of this sort of

information varies from state to state

Workers compensation records: in most states,

these records are public records, but their use
may not violate the Americans with Disabilities
Act

11

T HE I MPORTANCE OF E MPLOYEE
A GREEMENTS

Confidentiality agreements

Agreement between employees and organization

Defines what information may not be disclosed by

employees

Goal: to protect sensitive information

Especially important in these situations:

When an employee is terminated or leaves

When a third-party contractor was employed

T HE I MPORTANCE OF E MPLOYEE
A GREEMENTS C ONT.

12

Affirmation Agreements

Focuses on why acceptable use policies were

created and how important compliance is

It is a teaching tool that serves as a guideline

when an employee is faced with a situation not
explicitly covered in the policy

T HE I MPORTANCE OF E MPLOYEE
A GREEMENTS C ONT.

13

Affirmation Agreements

Should include the following topics:

Acceptable use of information resources

Internet use

E-mail use

Incidental use of information resources

Password management

Portable computers

T HE I MPORTANCE OF E MPLOYEE
A GREEMENTS C ONT.

14

Affirmation Agreements

Agreement should end with a commitment

paragraph acknowledging that:

The user has read the agreement

The user understands the agreement

The user understands the consequences of

violating the agreement

The user agrees to act in accordance with the

policies set forth

T HE I MPORTANCE OF E MPLOYEE
A GREEMENTS C ONT.

15

Affirmation Agreements

The agreement should be dated and signed by

the employee.

The signing of the agreement should be

witnessed

An appendix of definitions should be provided to

the user

T RAINING I MPORTANT ?

16

Training employees

According to NIST: Federal agencies *+ cannot

protect *+ information *+ without ensuring that
all people involved *+:

Understand their role and responsibilities related

to the organizations mission

Understand the organizations IT security policy,

procedures and practices

Have at least adequate knowledge of the various

management, operational and technical controls
required and available to protect the IT resources
for which they are responsible

T RAINING I MPORTANT ? C ONT.

17

Hackers adapt: if it is easier to use social

engineering i.e. targeting users rather than
hack a network device, that is the road they will
take

Only securing network devices and neglecting to

train users on information security topics is
ignoring half of the threats against the company

SETA FOR A LL

18

What is SETA?

Security Education Training and Awareness

Awareness is not training: it is focusing the attention

of employees on security topics in order to change
their behavior

Security awareness campaigns should be scheduled

regularly

Security training seeks to teach skills (per NIST)

Security training should NOT be only dispensed to

the technical staff but to all employees

SETA FOR A LL C ONT.

19

What is SETA?

Education: a common body of knowledge should

be developed for all employees

Specific bodies of knowledge should be

developed for specific roles in the company

SETA funding should be codified in the security

policy so that it is not slashed at the first
opportunity

GLBA and HIPAA both include security training

requirements as part of compliance

20

S ECURITY I NCIDENT R EPORTING I S

E VERYONE S R ESPONSIBILITY

It is the responsibility of ALL employees to report

security incidents

Anytime data confidentiality, integrity and/or

availability is threatened, a security incident
report should be filed

Users must be vigilant and trained to recognize

and report security incidents

Reporting security incidents must become a part

of the corporate culture

21

S ECURITY I NCIDENT R EPORTING I S

E VERYONE S R ESPONSIBILITY C ONT.

A security incident reporting program should

feature the following three ingredients:

Training users to recognize suspicious incidents

Implementing an easy incident reporting system

Staff involved in the investigation of the incident

should report back to the employees who
reported it to show that the report was not
dismissed and encourage future reports

T ESTING

22

THE

P ROCEDURES

The security incident reporting program should

be tested to make sure that it works and that it
provides investigators with the information they
need

Testing should not occur without knowledge and

approval from senior management

Testing should NOT be advertised to employees

to get accurate results

23

T ESTING THE P ROCEDURES C ONT.

Testing the security incident reporting system

should focus on the two following topics:

How did the employees respond to the incident?

Did they apply techniques and procedures learned

during training?

Did the employees report the incident?

Results should be documented and analyzed. If

necessary, training material should be edited for
clarity or new procedures