5_3_1 Section 5 – Governance, Risk, and Compliance - 5.3 – Organizational Security Policies - Personnel Security

Acceptable Use Policy (AUP)

• A documented set of rules that covers how to use technology in an organization, including internet, telephones, computers, mobile devices, and tablets.
• Provides a way to set expectations and specify rules for technology use in the organization.

Security Policies

• Job rotation: rotating employees through different jobs to reduce the risk of security breaches.
• Mandatory vacations: require employees to take vacations to ensure that someone else covers their responsibilities and limits the ability of any one person to commit fraud.
• Separation of duties: dividing responsibilities among multiple employees to prevent any one person from having too much power or access.
• Dual control: requiring two people to be present to perform a business function.
• Split knowledge: divided knowledge among multiple employees to prevent any one person from having access to sensitive information.
• Clean desk policy: requiring employees to clear their desks of sensitive information when leaving their workspace.

Limiting Access and Privileges

• Least privileged policy: configuring users with limited rights and permissions to perform their job duties.
• Limiting access to sensitive data and minimizing the scope of malicious software.
• Configuring applications to run with minimal privileges.

Background Checks and Employment

• Background checks: screening process to verify information provided in job applications and resumes.
• Adverse action: denying employment or taking action against an employee based on information found in a background check.

Non-Disclosure Agreements (NDAs)

• Confidentiality agreements between two parties to limit the sharing of sensitive information.
• Commonly used in business contracts to ensure privacy.

Social Media Analysis

• Evaluating an individual's presence on social media to gather more information about them during the hiring process.

On-boarding and Off-boarding Processes

• On-boarding: bringing new employees into the organization, including setting up accounts, providing equipment, and signing agreements.
• Off-boarding: procedures for when an employee leaves the organization, including returning equipment and disabling accounts.

Training and Awareness

• Gamification: training style that uses points, competition, and badges to engage users.
• Capture The Flag (CTF): security-related competition for training and awareness.
• Phishing simulations: training users to identify and avoid phishing attacks.
• Computer-based training: self-paced training that includes video, audio, and Q&A.

Acceptable Use Policy (AUP)

• A documented set of rules that covers how to use technology in an organization, including internet, telephones, computers, mobile devices, and tablets.
• Provides a way to set expectations and specify rules for technology use in the organization.

Security Policies

• Job rotation: rotating employees through different jobs to reduce the risk of security breaches.
• Mandatory vacations: require employees to take vacations to ensure that someone else covers their responsibilities and limits the ability of any one person to commit fraud.
• Separation of duties: dividing responsibilities among multiple employees to prevent any one person from having too much power or access.
• Dual control: requiring two people to be present to perform a business function.
• Split knowledge: divided knowledge among multiple employees to prevent any one person from having access to sensitive information.
• Clean desk policy: requiring employees to clear their desks of sensitive information when leaving their workspace.

Limiting Access and Privileges

• Least privileged policy: configuring users with limited rights and permissions to perform their job duties.
• Limiting access to sensitive data and minimizing the scope of malicious software.
• Configuring applications to run with minimal privileges.

Background Checks and Employment

• Background checks: screening process to verify information provided in job applications and resumes.
• Adverse action: denying employment or taking action against an employee based on information found in a background check.

Non-Disclosure Agreements (NDAs)

• Confidentiality agreements between two parties to limit the sharing of sensitive information.
• Commonly used in business contracts to ensure privacy.

Social Media Analysis

• Evaluating an individual's presence on social media to gather more information about them during the hiring process.

On-boarding and Off-boarding Processes

• On-boarding: bringing new employees into the organization, including setting up accounts, providing equipment, and signing agreements.
• Off-boarding: procedures for when an employee leaves the organization, including returning equipment and disabling accounts.

Training and Awareness

• Gamification: training style that uses points, competition, and badges to engage users.
• Capture The Flag (CTF): security-related competition for training and awareness.
• Phishing simulations: training users to identify and avoid phishing attacks.
• Computer-based training: self-paced training that includes video, audio, and Q&A.