Humans are the weakest element in any security solution. No matter what physical or logical controls are deployed, humans will discover ways to avoid, circumvent, subvert or disable them. Insider threats originate from past or present employees, contractors or business partners. They can misuse their inside knowledge or access to harm people, customers, assets or reputation.
To apply security governance, an organization has to address the weakest link in the security chain - people.
Issues, compromises, and problems related to humans occur at all stages and on all levels of an organization. People are involved throughout the development, implementation, and administration of a security solution and therefore have to be evaluated regarding their effect on the process.
A strong relationship between the security department and human resources is essential to maintain control and minimize risks in an organization.
Hiring People
In a secure environment, the first step of hiring new personnel is to create a job description or position description. Without this description, there is no consensus on what type of individual should be hired. Personnel should only be added to an organization because there is a need for their specific skills and experience.
The description also has to include potential security issues originating from the position (e.g. handling of sensitive material or classified information). This classification of the position includes the type of access required (e.g. secure network) to perform the intended tasks.
With this information, the screening of candidates can be performed. This involves background checks, verified reference calls, checking police and government records, and screening of social media accounts.
After hiring an individual, they need to sign an employment agreement. This document outlines the rules and restrictions of the organization, the security policies, and consequences of violations.
Separation of Duties
The Separation of duties is a security concept in which sensitive, critical and significant work is divided among individuals. This prevents undermining or subversion of security mechanisms by an individual. It also reduces the risk of collusion which is the occurrence of negative activity by two or more people. Collusion is often performed for the purpose of fraud, theft, or espionage.
Limiting the power of individuals requires employees to work with others to commit large violations of security. Finding others to assist in a violation is more likely to leave behind detectable evidence.
Job Rotation
Rotating employees among multiple job positions help an organization to improve its overall security. Job rotation servers two functions. It provides knowledge redundancy and reduces the risk of fraud, data modification, theft, sabotage, and misuse of information. The longer a person works in a specific position, the more likely they are to be assigned additional tasks and therefore expand their privileges and access.
Job rotation requires that privileges and access rights have to be reviewed regularly to maintain the principle of least privilege. In failure to do so, the employee will accumulate privileges over time. This is called privilege creep.
Onboarding
Onboarding is the process of adding a new employee to the identity and access management (IAM) system of an organization. The onboarding process is also performed when an employee’s role or position changes or when the person is awarded additional privilege or access rights.
Onboarding also refers to organizational socialization. In this process, the new employee is properly prepared for performing their job responsibilities. It includes training, job skill acquisition, and behavioral adaptation in order to integrate the employee efficiently into the existing processes and procedures.
Offboarding and Termination
The personnel security lifecycle includes the Termination or Offboarding of the employee. This stage is very critical and numerous issues must be addressed in order to maintain a secure environment. Termination should be handled in a private and respectful manner but this does not mean that no precautions should be taken. Once the employee has been informed of their release, they need to be escorted off the premises and are no longer allowed to return to their work area without an escort.
Before the release, all keys, badges, cards, tokens, and the work equipment have to be collected. When possible an exit interview should be performed. In this conversation, the liabilities and restrictions should be reviewed. This includes obligations based on the employment agreement, nondisclosure agreement, and any other security-related documents.
It is essential to offboard the employee from the IAM system shortly before or while informing the employee about the termination. Botched termination processes can cause critical damage to the organization. The completeness of information in the IAM system is critical for this process of disabling network access and removing company accounts from the individual.
Vendor, Consultant, and Contractors
Controls have to be defined for vendors, consultants, and contractors in order to define the expectation, compensation, and consequences for external entities to the own organization. These controls are defined and documented in a service-level-agreement or SLA.
It is best practice to put an SLA in place not only for external personnel but for all applications, connections, database, information systems, and any other critical part of an organizations infrastructure.
By clearly defining the expectations and penalties for external parties, everyone involved knows what is expected of them and what the consequences are in case of a failure to meet the expectations.
The onboarding and offboarding of external personnel have to follow the same procedures as the ones for regular staff.