BMS100_PHL1-21PreLearn_F2022.pptx
Document Details
Uploaded by BrotherlyWolf
Full Transcript
Developing Cybersecurity Programs and Policies by Omar Santos Chapter 6: Human Resources Security Objectives Define the relationship between cybersecurity and personnel practices Recognize the stages of the employee lifecycle Describe the purpose of confidentiality and acceptable us...
Developing Cybersecurity Programs and Policies by Omar Santos Chapter 6: Human Resources Security Objectives Define the relationship between cybersecurity and personnel practices Recognize the stages of the employee lifecycle Describe the purpose of confidentiality and acceptable use agreements Understand appropriate security education, training, and awareness programs Create personnel-related security policies and procedures The Employee Lifecycle Represents stages in the employee’s career Lifecycle models can vary but most include the following stages Recruitment Onboarding User provisioning Orientation Career development Termination Off-boarding Rewards and Risks of Online Employment Ads A company can reach a wide audience However, a company can publish an ad that gives too much information: About the network infrastructure and therefore allow a hacker to footprint the internal network easily and stealthily About the company itself, inviting social engineering attacks Online Job Description Postings Convey the mission of the organization Describe the position in general terms Outline the responsibilities attached to said position Outline the company’s commitment to security via the use of such terms as non-disclosure agreement Do not reveal information about the company’s IT infrastructure that hackers could use Candidate Application Data Companies are responsible for protecting the data and privacy of the job seeker Nonpublic personal information (NPPI) should not be collected if possible The Interview A job interview is a perfect foot-printing opportunity for hackers and social engineers The interviewer should be concerned about revealing too much about the company during the interview Job candidates should never gain access to secured areas Screening Prospective Employees An organization should protect itself by running extensive background checks on potential employees at all levels of the hierarchy Some higher level positions may require even more in-depth checks Many U.S. government jobs require prospective employees have the requisite clearance level Background Checks All employees should be subject to a basic background check Information owners may require more indepth checks for specific roles Workers have a right to privacy; gather only information relevant to the work they perform Seek consent from employees before launching a background check Background Checks (continued) Educational records fall under FERPA. Motor vehicle records fall under DPPA Schools must first have written authorization before they can provide student-related information The DMV—or its employees—are not allowed to disclose information obtained by the department The FTC allows the use of credit reports prior to hiring employees as long as companies do so in accordance with the Fair Credit Reporting Act Background Checks (continued) Bankruptcies may not be used as the only reason to not hire someone according to Title 11 of the U.S. Bankruptcy Code The use of criminal history information varies from state to state In most states, Workers Compensation records are public records, but their use may not violate the Americans with Disabilities Act Government Clearance Application phase Investigative phase Adjudication phase Granting (or denial) of clearance at a specific level Onboarding Phase The new hire is added to the organization’s payroll and benefit systems New employees must provide Proof of identity Work authorization Tax identification Two forms that must be completed Form I-9 Form W-4 User Provisioning User provisioning is the process of: Creating user accounts and group memberships Providing company identification Assigning access rights and permissions Assigning access devices such as tokens and/or smartcards The user should be provided with and acknowledge the terms and conditions of the acceptable use agreement before being granted access Employee Orientation The employee should learn what his or her responsibilities will be The employee should receive instruction about information handling standards and privacy protocols The employee should have the opportunity to ask questions Termination: The Most Dangerous Phase Emotionally charged event Terminated employee may seek revenge, create havoc, or take information Where there is any concern that the employee may react negatively, all access to data and systems should be disabled prior to informing the employee Confidentiality or Non-Disclosure Agreements Agreement between employees and organization Defines what information may not be disclosed by employees Goal: To protect sensitive information Especially important in these situations: When an employee is terminated or leaves When a third-party contractor was employed Acceptable Use Agreements A policy contract between the company and information systems user Components of an Acceptable Use Agreement Introduction Data classifications Applicable policy statement Handling standards Contacts Sanctions for violations Acknowledgment Security Education and Training According to NIST: “Federal agencies […] cannot protect […] information […] without ensuring that all people involved […]: Understand their role and responsibilities related to the organization’s mission Understand the organization’s IT security policy, procedures, and practices Have at least adequate knowledge of the various management, operational, and technical controls required and available to protect the IT resources for which they are responsible” Security Education and Training Only securing network devices and neglecting to train users on cybersecurity topics is ignoring half of the threats against the company Workers must be trained to identify and defend against social engineering attacks If it is easier to use social engineering rather than hack a network device, that is the road they will take What Is the SETA Model? SETA: Security Education Training and Awareness Awareness is not training; It is focusing the attention of employees on security topics to change their behavior Security awareness campaigns should be scheduled regularly Security training “seeks to teach skills” (per NIST) All employees should receive security training Summary The employee life cycle includes recruitment, onboarding, user provisioning, orientation, career development, termination, and off-boarding Use care when advertising job openings online that you do not give away any information that could compromise security Protect the data and privacy of job seekers Do not give away too much company information during job interviews Background checks can help screen job candidates; some high security positions require more in-depth checks Summary User provisioning includes creating user accounts and group memberships, providing company ID, assigning access rights, and assigning access devices Termination can be emotionally charged; lock the employee out of all systems prior to informing him or her All users should sign an acceptable use agreement before receiving access to systems and equipment An acceptable use agreement contains data classifications, a policy statement, handling standards, contacts, sanctions for violations, and acknowledgement forms The SETA model indicates both security awareness and security training