Skip to content

Page039

Personnel Security

Users can pose the biggest security risk to an organization. Background checks should be performed, contractors need to be securely managed, and users must be properly trained and made aware of security risks, as we will discuss next. Controls such as Non-disclosure Agreements (NDA) and related employment agreements are a recommended personnel security control, as we will discuss in Chapter 8, Domain 7: Security Operations.

Candidate Screening and Hiring

Candidates should be carefully screened before they are hired. Organizations should conduct a thorough background check before hiring an individual. A criminal records check should be conducted, and all experience, education, and certifications should be verified. Lying or exaggerating about education, certifications, and related credentials is one of the most common examples of dishonesty regarding the hiring process.

More thorough background checks should be conducted for roles with heightened privileges, such as access to money or classified information. These checks can include a financial investigation, a more thorough criminal records check, and interviews with friends, neighbors, and current and former coworkers.

Onboarding

The onboarding process begins once a candidate has been hired. The Principle of Least Privilege (PoLP) should be followed when accounts are created, and access is granted. The new employee should be made aware of all relevant policies and procedures, such as the Internet acceptable use policy. This process is often ineffective because the new hire is handed piles of forms (direct deposit, health insurance, etc.), with security policies included in the pile. Special care should be taken to make sure the hire is fully aware of all relevant security policies. Training and awareness should begin immediately.

Employee Termination

Termination should result in immediate revocation of all employee access. Beyond account revocation, termination should be a fair process. There are ethical and legal reasons for employing fair termination, but there is also an additional information security advantage. An organization’s worst enemy can be a disgruntled former employee, who, even without legitimate account access, knows where the “weak spots are.” This is especially true for IT personnel.

A negative reaction to termination is always possible, but using a fair termination process may lower the risk. As in many areas on the CISSP® exam, process trumps informal actions. A progressive discipline (also called ladder of discipline) process includes:

  • Coaching
  • Formal discussion
  • Verbal warning meeting, with Human Resources attendance (perhaps multiple warnings)
  • Written warning meeting, with Human Resources attendance (perhaps multiple warnings)
  • Termination

The employee should be given clear guidance on the cause of the discipline, and given direct actionable steps required to end the process. An example is, “You are being disciplined for failing to arrive at work in a timely fashion. You must arrive for work by 9:00 AM each workday, unless otherwise arranged or in cases of an emergency. This process will end when you consistently arrive for work on time. This process will continue if you continue to fail to arrive at work on time. This process can lead to termination of employment if the problem continues.”

If the process ends in termination, there are no surprises left. This is fair, and lowers the chance of a negative reaction. People tend to act more reasonably if they feel they have been treated fairly.