2.3.9 Personnel Security

Most organizations have Employee Policies:
1. Small companies may implement a code of ethics and an emergency response plan.
2. Larger organizations may choose to certify to a specific standard:
  1. ISO 9001
Privacy Policies
1. The Privacy Act of 1974 (US)
  1. Establishes a code of fair information practices that governs the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by federal agencies.
  2. Governs Personally Identifiable Information (PII) security standards.
Acceptable Use Policies (AUP)
1. Policies that define the rules that restrict how a computer, network, or other system may be used.
2. AUPs are often signed during the onboarding process, before the employee has been introduced to sensitive information.
3. If a supervisor instructs an employee to perform a task that conflicts with the terms set forth in the signed AUP, the employee should know to refuse that supervisor.
Change Management
1. A structured way of changing the state of a computer system, network, or IT procedure.
2. Any change that a person wants to make must be introduced to each of the heads of various departments that it might affect.
3. They must approve the change before it goes into effect.
4. Before this happens, department managers will most likely make recommendations and/or give stipulations.
5. When the necessary people have signed off on the change, it should be tested and then implemented.
6. During implementation, it should be monitored and documented carefully.
Separation of Duties
1. This is when more than one person is required to complete a particular task or operation.
2. Distributes control over a system, infrastructure, or particular task.
3. Job Rotation
  1. Two or more employees switch roles at regular intervals, in order to increase user insight and skill level, and to decrease the risk of fraud and other illegal activities.
  2. One of the checks and balances that might be employed to enforce the proper separation of duties.
Mandatory Vacations
1. When an organization requires that employees take a certain number of days of vacation consecutively, helping to detect potential malicious activity such as fraud or embezzlement.
Onboarding and Offboarding
1. Onboarding:
  1. When a new employee is added to an organization, and their identity is added to its access management system.
  2. Incorporates training, formal meetings, lectures, and human resources employee handbooks and videos.
  3. It can also be implemented when a person changes roles within an organization.
  4. Ultimately provides better job performance and higher job satisfaction.
2. Offboarding:
  1. Procedurally removing an employee from a federated identity management system, restricting rights and permissions, and possibly debriefing the person or conducting an exit interview.
  2. This happens when a person changes roles within an organization, or departs the organization altogether.
Due Diligence
1. Ensuring that IT infrastructure risks are known and managed.
Due Care
1. The mitigation actions that an organization takes to defend against the risks that have been uncovered during due diligence.
Due Process
1. The principle that an organization must respect and safeguard personnel's rights.
2. This is to protect the employee from the state and from frivolous lawsuits.
User Education and Awareness Training
1. Role-Based Training
  1. Employees with different roles in the organization receive different types of training.
    1. HR
    2. Accounting
    3. Technical Roles
2. Account Training
  1. Password Policies
  2. Lockout Policies
3. Privacy Training
  1. HIPAA Training
  2. PII Training
  3. PCI DSS Training
4. Awareness Training
  1. Security reminders in emails, posters, banners, etc, to remind employees about secure practices.
Non-Disclosure Agreement (NDA):
1. An agreement not to share (disclose) certain information.