Chapter 6: Human Resources Security

Security Program and
Policies
Principles and Practices
by Sari Stern Greene
Chapter 6: Human Resources Security

Copyright 2014 Pearson Education, Inc. 2
Objectives
❑ Define the relationship between information
security and personnel practices
❑ Recognize the stages of the employee lifecycle
❑ Describe the purpose of confidentiality and
acceptable use agreements
❑ Understand appropriate security education,
training, and awareness programs
❑ Create personnel-related security policies and
procedures

The Employee Lifecycle
■ Represents stages in the employee’s career
■ Lifecycle models can vary but most include
the following stages
❑ Recruitment
❑ Onboarding
❑ User provisioning
❑ Orientation
❑ Career development
❑ Termination

What Does Recruitment Have to Do
with Security?
❑ Risks and rewards of posting online employment
ads:
■ A company can reach a wider audience
■ A company can publish an ad that gives too much
information:
❑ About the network infrastructure and therefore allow a
hacker to footprint the internal network easily and stealthily
❑ About the company itself, inviting social engineering attacks

Job Postings
■ Job descriptions are supposed to:
❑ Convey the mission of the organization
❑ Describe the position in general terms
❑ Outline the responsibilities attached to said position
❑ Outline the company’s commitment to security via the use of such terms
as non-disclosure agreement
■ Job descriptions are NOT supposed to:
❑ Include information about specific systems, software versions, security
configurations, or access controls
■ It’s harder to hack a network if one doesn’t know what hardware & software
❑ If the above information is deemed necessary, two versions of the
position can be created. The second, more detailed version should be
posted internally and shared with candidates that have made the “first
cut”

Candidate Application Data
■ Companies are responsible for protecting the
data and privacy of the job seeker
■ Non-public personal information (NPPI)
should not be collected if possible

The Interview
■ Job Interview:
❑ The interviewer should be concerned about
revealing too much about the company during the
interview
❑ Job candidates should never gain access to
secured areas
❑ A job interview is a perfect foot-printing
opportunity for hackers and social engineers

Screening Prospective Employees
❑ An organization should protect itself by running
extensive background checks on potential
employees at all levels of the hierarchy
❑ Some higher level positions may require even
more in-depth checks
❑ Many U.S. government jobs require prospective
employees have the requisite clearance level

Types of Background Checks
❑ The company should have a basic background
check level to which all employees are subjected
❑ Information owners may require more in-depth
checks for specific roles
❑ Workers also have a right to privacy: Not all
information is fair game to gather – only
information relevant to the actual work they
perform
❑ Companies should seek consent from employees
before launching a background check

Types of Background Checks Cont.
❑ Educational records fall under FERPA. Schools
must first have written authorization before they
can provide student-related information
❑ Motor vehicle records fall under DPPA, which
means that the DMV – or its employees – are not
allowed to disclose information obtained by the
department
❑ The FTC allows the use of credit reports prior to
hiring employees as long as companies do so in
accordance with the Fair Credit Reporting Act

Types of Background Checks Cont.
❑ Bankruptcies may not be used as the SOLE
reason to not hire someone according to Title 11
of the U.S. Bankruptcy Code
❑ Criminal history: The use of this sort of information
varies from state to state
❑ Worker’s compensation records: In most states,
these records are public records, but their use
may not violate the Americans with Disabilities Act

What Happens in the Onboarding
Phase?
■ The new hire is added to the organization’s
payroll and benefit systems
■ New employees must provide
❑ Proof of identity
❑ Work authorization
❑ Tax identification
■ Two forms that must be completed
❑ Form I-9
❑ Form W-4

What Is User Provisioning?
■ The process of:
❑ Creating user accounts and group memberships
❑ Providing company identification
❑ Assigning access rights and permissions
❑ Assigning access devices such as tokens and/or
smartcards
■ The user should be provided with and
acknowledge the terms and conditions of the
Acceptable Use Agreement before being
granted access

What Should an Employee Learn
During Orientation?
■ His responsibilities
■ Information handling standards and privacy
protocols
■ Ask questions

The Importance of Employee
Agreements
❑ Confidentiality or non-disclosure agreements
■ Agreement between employees and organization
■ Defines what information may not be disclosed by
employees
■ Goal: To protect sensitive information
■ Especially important in these situations:
❑ When an employee is terminated or leaves
❑ When a third-party contractor was employed

The Importance of Employee
Agreements cont.
■ Acceptable Use Agreement
❑ A policy contract between the company and information systems
user
■ Components of an Acceptable Use Agreement
❑ Introduction
❑ Data classifications
❑ Applicable policy statement
❑ Handling standards
❑ Contacts
❑ Sanctions for violations
❑ acknowledgment

The Importance of Security
Education and Training
■ Training employees
❑ According to NIST: “Federal agencies […] cannot
protect […] information […] without ensuring that
all people involved […]:
■ Understand their role and responsibilities related to the
organization’s mission
■ Understand the organization’s IT security policy,
procedures and practices
■ Have at least adequate knowledge of the various
management, operational and technical controls
required and available to protect the IT resources for
which they are responsible”

The Importance of Security
Education and Training cont.
■ Hackers adapt: If it is easier to use social
engineering – i.e., targeting users – rather
than hack a network device, that is the road
they will take
■ Only securing network devices and
neglecting to train users on information
security topics is ignoring half of the threats
against the company

What Is the SETA Model?
■ What is SETA?
❑ Security Education Training and Awareness
❑ Awareness is not training: It is focusing the
attention of employees on security topics to
change their behavior
❑ Security awareness campaigns should be
scheduled regularly
❑ Security training “seeks to teach skills” (per NIST)
❑ Security training should NOT be dispensed only to
the technical staff but to all employees

Summary
❑ A security policy that does not include personnel
as a permanent threat to the data owned by the
company is incomplete. Social engineering is
more virulent than ever.
❑ Failing to train users on security topics is a bad
mistake and may result in a lack of compliance for
some federal mandates.
❑ All users should sign the Acceptable Use
Agreement before receiving access to company’s
systems and equipment

Chapter 6: Human Resources Security

More Related Content

What's hot (20)

Viewers also liked (14)

Similar to Chapter 6: Human Resources Security (20)

More from Nada G.Youssef (16)

Recently uploaded (20)

Chapter 6: Human Resources Security