1.9 Contribute and Enforce Personnel Security Policies and Procedures Flashcards
What is the Purpose of Personnel Security Policies? What are Examples of Activtities that Need a Procedure to Meet Policy Goals?
Ultimately, to address needs related to the use and protection fo valuable organization assets. | These include Candidate Screening and Hiring, Onboarding, and Termination of employees.
List some examples of Personell Security Policies and Controls.
Background checks, access badges, ID Cards, what you’re allowed to bring in and not allowed to bring in, Acceptable use policies, code of conduct, employee handbook, etc.
What should be agreed upon by both parties before giving a new employee an access badge and/or any system credentials?
Security policies, acceptable use policies, and similar agreements.
What controls are in place to prevent fraud or violation of organizational policies by employees?
“Seperation of Duties”, “Job Rotation”, “Least Privilege” and “Need to Know”.
When are Offboarding Controls Used?
Whenever an employee leaves an organization, whether through termination or resignation.
What controls should be enacted during the employee offboarding process?
Employee system access should be disabled/revoked and all relevant parties should be notified of the termination.
Does Voluntary termination pose a security risk? How does it differe from involuntary termination?
Yes, though not as much as involuntary termination. A terminated employee is more likely to become hostile of lash out by stealing and tampering with data if involuntarily terminated. These should be handled carefully, more so than a voluntary termination. It can inlude security to be involved in the terminating HR meeting to escort the terminated employee off the organization premise.
What does it mean to act under duress?
To act under influence of another, usually under external circumstances such as a bank manager being held at gunpoint during a robbery.
Give an example of a control that can be implemented for employees acting under duress (Bank Robbery Scenario)?
A bank manager/team can be trained on using challenge-response with local law enforcement to speak a keyword to signify if the bank robbery is in progress of if the caller is acting under duress to say the robbery has stopped.
What third parties should personell security policies extend to?
Any people with access to company assets as part of a service provided to the organization. This includes contractors, companies, and anyone else with access to security controls as part of a provided service.
What is the purpose of a job rotation personell security control?
Job rotation is useful to protect against fraud and provide cross-training. It prevents fraud from a single person having to oversee a process and allows other personell to assume the duty if an employee leaves.
What is the purpose of Mandatory Vacation in personell security controls?
This can be used to detect fraud. During the employees absence, another employee can step in and identify if malicious or nefarious activities have taken place.
What is the purpose of Separation of Duties as a personell control?
Used to prevent fraud, by requiring more than one employee to perform a critical task. For instance, requiring different employees for each stage of the payment check process. That way the check cannot be submitted, reviewed, and processed by an individual employee.
What is the purpose of the Need-to-Know and Least Privilege personell security controls?
Least Privilege is used to ensure only the minimum permissions are needed to complete the work are granted to any employee. Need-to-Know ensure that access to sensitive assets is restricted only to employees who require the information to complete their work.
What process should be included during the onboarding process?
Identity Proofing (Background checks) | Signoff on policies and agreements | Access to provisioning based on least privilege and need-to-know