Personnel security are the controls that enable people to play their foundational role in protecting information and information systems of the organization. All people have responsibilities to properly use the protective controls. Some people are additionally trusted to support the correct design or operation of security controls. Thus, personnel security is the foundation upon which all other controls operate. This section discusses key elements of personnel security and the associated roles.
Applicants for job openings are screened to prioritize the best qualified candidate to hire. The security screening is intended to confirm the candidate’s trustworthiness and can vary depending on the level of trust associated with the position. Screening can involve credit checks and inquiries into police records. Formal organization criteria should be applied by the person in authority to accept or reject a candidate.
Establish Duty to Protect
On the first day, every new employee typically signs an employment contract. One component establishes their duty to protect the organization’s proprietary information and information systems. There may be an additional information protection agreement or a system use agreement signed during an employee’s career, such as when government classified information is involved.
Security Briefings, Training and Awareness
The security leader is challenged with the fact that people are the first line of defense and are also as a group the weakest element of defense. Illustrative examples include allowing tailgaters through physical access controls, leaving a list of userids and passwords beside their workstation, and clicking on links within (what should be) suspicious SPAM email.
Your organization’s first day employee training needs a component on security practices relevant for everyone. You will also want specialized briefings for other roles such as managers and system administrators. The objective on the first day is that organization executive’s security expectations are understood and internalized by every new employee. Avoid death by PowerPoint, which will win no converts.
Additional training is appropriate when specific security skills must be learned, such as secure application development practices. It is unfortunately common for organization to invest in slick training modules and an array of current topics followed by a quiz to confirm skills. You will want to analyze the risk reduction benefit before proposing the investment in both development time and employees training time.
Employees receive education, training and awareness materials with the expectation that they will be equipped to play their very important role for information security. Do not underestimate the importance or difficulty of influencing user behavior. It is best to prioritize the few user behaviors that are of greatest importance, then reinforce them at reasonable intervals through the chain of control. For example, if wearing the organization badge is a key control, then the organization executive must model behavior by always being seen wearing the badge where it is clearly visible.
The organization executive must “walk the talk” on following security practices. Executive staff will naturally copy the executive’s behavior. Whenever some security incident or new practice is shared with employees, the organization executive must be the primary speaker, with you sufficiently visible on explaining details to reinforce your role.
Very selective use of security reminders can help users so long as they are relevant and helpful. By contrast, use of generic posters, such as “remember security” with a comical picture, is more likely to decrease your credibility then have any beneficial impact.
Finally, there will be instances when individuals fail to follow security practices. This results in an adverse impact to the organization. Your investigations organization presents findings to the disciplinary function who determines appropriate disciplinary action for the individual. It is valuable to publicize a summary of the investigation (non-attributed) including the disciplinary action as a practical reminder of the importance of personnel security and the consequences of failures.
Copyright © 2019 Christopher T. Carlson
Return to Defense in Depth