Chapter 6-Business Security Process

8/10/2019 Chapter 6-Business Security Process

1/23

OBJECTIVES

Describe the role of security in personnel practices

Develop secure recruiting & interviewing

procedures

Evaluate confidentiality & employee securityagreements

Understand appropriate security education, training& awareness programs

Design an incident reporting program

Create personnel-related security policies andprocedures

1


2/23

INTRODUCTION

Personnel-related policies are mostly theresponsibility of the Human Relations (HR)department

Aspects of personnel security may involve thetraining department, legal counsel and employeeunions or associations

Employees are simultaneously the organizations

most valuable assets and its most dangerousrisks

Employees must receive information securitytraining

2


3/23

FIRSTCONTACT

Risks and rewards of posting online employment

ads:

A company can reach a wider audience

A company can publish an ad that gives too much

information:

About the network infrastructure and therefore

allow a hacker to footprint the internal network

easily and stealthily

About the company itself, inviting social

engineering attacks

3


4/23

JOBDESCRIPTIONS

Job descriptions are supposed to:

Convey the mission of the organization

Describe the position in general terms

Outline the responsibilities attached to said

position

Outline the companys commitment to security

via the use of such terms as non-disclosure

agreement

4


5/23

JOBDESCRIPTIONSCONT.

Job descriptions are NOT supposed to:

Include information about the internal network,

such as types of servers deployed, types of

routers deployed, and any other information that

would allow a hacker to map the infrastructure of

the internal network

Its harder to hack a network if one doesnt knowwhat hardware & software

If the above information is deemed necessary,

have the ad be anonymous

5


6/23

THEINTERVIEW

Job Interview:

The interviewer should be concerned about

revealing too much about the company during

the interview

Job candidates should never gain access to

secured areas

A job interview is a perfect foot-printing

opportunity for hackers and social engineers

6


7/23

WHOISTHISPERSON?

An organization should protect itself by running

extensive background checks on potential

employees at all levels of the hierarchy

Some higher level positions may require even

more in-depth checks

In the military, information andusers have a

clearance level Note the clearance level is not all they need: they

also need a demonstrated need to know to access

data

7


8/23

TYPESOFBACKGROUNDCHECKS

The company should have a basic background

check level to which all employees are subjected

Information owners may require more in-depth

checks for specific roles

Workers also have a right to privacy: not all

information is fair game to gatheronly

information relevant to the actual work theyperform

Companies should seek consent from employees

before launching a background check

8


9/23


CONT.

Educational records fall under FERPA. Schools

must first have written authorization before they

can provide student-related information

Motor vehicle records fall under DPPA, which

means that the DMVor its employeesare not

allowed to disclose information obtained by the

department

The FTC allows the use of credit reports prior to

hiring employees as long as companies do so in

accordance with the Fair Credit Reporting Act

9


10/23


CONT.

Bankruptcies may not be used as the SOLE reason

to not hire someone according to Title 11 of the

US Bankruptcy Code

Criminal history: the use of this sort of

information varies from state to state

Workers compensation records: in most states,

these records are public records, but their usemay not violate the Americans with Disabilities

Act

10


11/23

THEIMPORTANCEOFEMPLOYEE

AGREEMENTS

Confidentiality agreements

Agreement between employees and organization

Defines what information may not be disclosed by

employees

Goal: to protect sensitive information

Especially important in these situations:

When an employee is terminated or leaves

When a third-party contractor was employed

11


12/23


AGREEMENTSCONT.

Affirmation Agreements

Focuses on why acceptable use policies were

created and how important compliance is

It is a teaching tool that serves as a guideline

when an employee is faced with a situation not

explicitly covered in the policy

12


13/23


AGREEMENTSCONT.


Should include the following topics:

Acceptable use of information resources

Internet use

E-mail use

Incidental use of information resources

Password management

Portable computers

13


14/23


AGREEMENTSCONT.


Agreement should end with a commitment

paragraph acknowledging that:

The user has read the agreement

The user understands the agreement

The user understands the consequences of

violating the agreement

The user agrees to act in accordance with the

policies set forth

14


15/23


AGREEMENTSCONT.


The agreement should be dated and signed by

the employee.

The signing of the agreement should be

witnessed

An appendix of definitions should be provided tothe user

15


16/23

TRAININGIMPORTANT?

Training employees

According to NIST: Federal agencies *+ cannot

protect *+ information *+ without ensuring thatall people involved *+:

Understand their role and responsibilities relatedto the organizations mission

Understand the organizations IT security policy,procedures and practices

Have at least adequate knowledge of the variousmanagement, operational and technical controlsrequired and available to protect the IT resourcesfor which they are responsible

16


17/23

TRAININGIMPORTANT? CONT.

Hackers adapt: if it is easier to use social

engineeringi.e. targeting usersrather than

hack a network device, that is the road they willtake

Only securing network devices and neglecting to

train users on information security topics is

ignoring half of the threats against the company

17


18/23

SETA FORALL

What is SETA?

Security Education Training and Awareness

Awareness is not training: it is focusing the attentionof employees on security topics in order to changetheir behavior

Security awareness campaigns should be scheduledregularly

Security training seeks to teach skills (per NIST)

Security training should NOT be only dispensed tothe technical staff but to all employees

18


19/23

SETA FORALLCONT.

What is SETA?

Education: a common body of knowledge should

be developed for all employees

Specific bodies of knowledge should bedeveloped for specific roles in the company

SETA funding should be codified in the security

policy so that it is not slashed at the firstopportunity

GLBA and HIPAA both include security trainingrequirements as part of compliance

19


20/23

SECURITYINCIDENTREPORTINGIS

EVERYONESRESPONSIBILITY

It is the responsibility of ALL employees to report

security incidents

Anytime data confidentiality, integrity and/oravailability is threatened, a security incident

report should be filed

Users must be vigilant and trained to recognize

and report security incidents

Reporting security incidents must become a part

of the corporate culture

20


21/23

SECURITYINCIDENTREPORTINGIS

EVERYONESRESPONSIBILITYCONT.

A security incident reporting program should

feature the following three ingredients:

Training users to recognize suspicious incidents

Implementing an easy incident reporting system

Staff involved in the investigation of the incident

should report back to the employees who

reported it to show that the report was not

dismissed and encourage future reports

21


22/23

TESTINGTHEPROCEDURES

The security incident reporting program should

be tested to make sure that it works and that it

provides investigators with the information they

need

Testing should not occur without knowledge and

approval from senior management

Testing should NOT be advertised to employeesto get accurate results

22


23/23

TESTINGTHEPROCEDURESCONT.

Testing the security incident reporting system

should focus on the two following topics:

How did the employees respond to the incident?

Did they apply techniques and procedures learned

during training?

Did the employees report the incident?

Results should be documented and analyzed. Ifnecessary, training material should be edited for

clarity or new procedures

23

Documents

Chapter 6-Business Security Process