Sunday, September 28, 2014

Information Security Controls Relating to Personnel

Information Security in an organization largely focusses on the Confidentiality, Integrity and Availability of data, information and related resources. While the risk of threats are increasing, study says that the threat is more from the inside than from the outside. This has mandated the need for framing polices, procedures and controls around the employees of the organization, so that such risks arising from within can be mitigated or managed well.

Whilst personnel security controls cannot provide guarantees, they are sensible precautions that provide for the identity of individuals to be properly established. In circumstances where risk assessments indicate that the necessary thresholds are met, they provide for checks to be made of official and other data sources that can indicate whether individuals may be susceptible to influence or pressure which might cause them to abuse their position or whether there are any other reasons why individuals should not have access to sensitive assets.

Personnel security aims to:
  • reduce the risk of loss, damage or compromise of Australian Government resources by providing assurance about the suitability of personnel authorised to access those resources
  • create an environment where those accessing Australian Government resources are aware of the responsibilities that come with that access and abide with their obligations under the PSPF
  • minimise potential for misuse of Australian Government resources through inadvertent or deliberate unauthorised disclosure
  • support a culture of protective security.

Controls designed around the following aspects would certainly help an organization to achieve the said purpose:


Information security awareness and training

Organizations must have a program to provide information security awareness and training for personnel on an on-going basis, focusing on information security policies including topics such as responsibilities, consequences of non–compliance, and potential security risks and counter–measures. It is human nature to lose or forget training content over time. Providing ongoing information security awareness and training helps keep personnel aware of issues and their responsibilities.

Information security awareness and training programs are designed to help personnel to: become familiar with their roles and responsibilities; understand and support security requirements; and learn how to fulfil their security responsibilities. Methods that can be used to continually promote awareness include logon banners, system access forms and departmental bulletins or memoranda.

Specific controls may be designed around the following aspects of information security awareness training:
  • Accessibility of the Information Security Policies and Procedures
  • Number and type of such programs to be offerred to personnel
  • Degree and content of information security awareness and training, which may be based on the roles of employees and on the target systems to which they have access to.
  • A scoring system for employees designed to establish the level of awareness by employees. A gamified approach would work better here.
  • Establishing responsibility and accountability for security of the information assets.
  • Review and feedback system for content and process improvement

Authorisations and Security Clearances

Depending on the roles and responsibilities, the employees gain access to various systems, data and information. It is important that only appropriately authorised, cleared and briefed personnel are allowed access to various such systems. For the purpose the systems, data and other information resources shall be identified and classified based on the sensititivity. Similarly, a mapping of various roles that would have different types of access on such resources is also created. This mapping will typically be based on the "need to know". Exceptions are also documented and are handled with additional clearances or approvals.

Employees seeking access to a system need to have a genuine business requirement to access the system as verified by their manager. Once a requirement to access a system is established, giving personnel only the privileges that they need to undertake their duties is imperative. Providing all personnel with privileged access when there is no requirement for privileged access can be a significant threat to a system. Any temporary access to information resources shall be time bound and the same shall be subject to close observation. Similarly, during emergency situations, privilege escalation may be required to carry out certain critical tasks. Such authorizations shall be documented and appropriate additional authorization shall be mandated.

Specific controls may be designed around the following aspects:
  • Existence of a process for ascertaining employee's background and trust worthiness
  • Documented inventory of information assets with appropriate security and sensitivity classification
  • Documented roles and responsibilities of personnel
  • Establishing the identity of the employees or contractors as the case may be
  • Mapping of roles with the information assets
  • Authorization for process for grant of privileges
  • Change management process for privilege escalation or downgrade
  • Maintenance of Access logs with necessary details
  • Periodic review and audit of authorizations and access logs

Internet Usage

Use of internet is a major source of security breaches as it may facilitate external threats in the form of malware, virus. etc. There shall be a fair use policy with respoect to Internet, which shall set out the Do's and Don'ts for the employees. Employees should be made aware on how to report any suspicious contact and what suspicious contact is, especially contact from external sources using Internet services. Organizations should implement measures to monitor their personnel’s compliance with their internet usage policies.

Employees need to take special care not to accidentally post sensitive or classified information on public websites, especially in forums, blogs and social networking sites. Employees holding any key position may attribute an appropriate disclaimer that such posts carry his personal views and do not bind the organization.

The following specific controls may help in implementing the policies and procedures around this aspect:
  • Existence of a Fair Use Policy
  • Collection of logs and data for monitoring violations to such policies
  • Initiation of disciplinary action against policy violations
  • Enforce appropriate system security and privacy policies for internet usage
  • Monitor the use of unspecified or unauthorized websites or applications that access internet.0