Personnel Security:: Difference between revisions

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search
No edit summary
 
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
=='''Personnel Security'''==
==Personnel Security==
Application owners grant legitimate users system access necessary to perform their duties; security personnel enforce access rights in accordance with institution standards. Because of their internal access levels and intimate knowledge of financial institution processes, authorized users pose a potential threat to systems and data. Employees, contractors, or third-party employees can exploit their legitimate computer access for malicious, fraudulent, or economic reasons. Additionally, the degree of internal access granted to some users increases the risk of accidental damage or loss of information and systems.<br>
<br>
'''Risk exposures from internal users include:'''
<br>
:* Altering data,
:* Deleting production and back-up data,
:* Disrupting systems,
:* Destroying systems,
:* Misusing systems for personal gain or to damage the institution,
:* Holding data hostage, and
:* Stealing strategic or customer data for corporate espionage or fraud schemes.
<br>
'''Background Checks and Screening'''<br>
<br>
Financial institutions should have a process to verify job application information on all new employees. The sensitivity of a particular job or access level may warrant additional background and credit checks. Institutions should verify that contractors are subject to similar screening procedures.<br>
<br>
'''Typically, the minimum verification considerations include:'''<br>
<br>
:* Character references;
:* Confirmation that the prospective employee was never convicted of a criminal offense, as detailed in 12 USC 1829;
:* Confirmation of prior experience, academic record, and professional qualifications; and
:* Confirmation of identity from government issued identification.
<br>
After employment, managers should remain alert to changes in employees’ personal circumstances that could increase incentives for system misuse or fraud.<br>
<br>
==Agreements: Confidentiality, Non-Disclosure, and Authorized Use==
 
Financial institutions should protect the confidentiality of information about their customers and organization. A breach in confidentiality could disclose competitive information, increase fraud risk, damage the institution’s reputation, violate customer privacy and associated rights, and violate regulatory requirements. Confidentiality agreements put all parties on notice that the financial institution owns its information, expects strict confidentiality, and prohibits information sharing outside of that required for legitimate business needs. Management should obtain signed confidentiality agreements before granting new employees and contractors access to information technology systems.<br>
<br>
Authorized-use agreements are discussed in the “Access Rights Administration” section of this booklet.<br>
<br>
==Job Descriptions==
Job descriptions, employment agreements, and policy awareness acknowledgements increase accountability for security. Management can communicate general and specific security roles and responsibilities for all employees within their job descriptions. Management should expect all employees, officers, and contractors to comply with security and acceptable-use policies and protect the institution’s assets, including information. The job descriptions for security personnel should describe the systems and processes they will protect and the control processes for which they are responsible. Management can take similar steps to ensure contractors and consultants understand their security responsibilities as well.<br>
<br>
==Training==
Financial institutions need to educate users regarding their security roles and responsibilities. Training should support security awareness and strengthen compliance with security policies, standards, and procedures. Ultimately, the behavior and priorities of senior management heavily influence the level of employee awareness and policy compliance, so training and the commitment to security should start with senior management. Training materials for desktop and workstation users would typically review the acceptable-use policy and include issues like desktop security, log-on requirements, password administration guidelines, etc. Training should also address social engineering and the policies and procedures that protect against social engineering attacks. Many institutions integrate a signed security awareness agreement along with periodic training and refresher courses.<br>
<br>
=='''Personnel Security References'''==
<blockquote style="background: darkkhaki; padding: 1em; margin-left: 0.5em;">
ISO 17799 defines Personnel Security objectives to reduce risks of human error, theft, fraud, or misuse of facilities; ensure that users are aware of information security threats and concerns, and are equipped to support the corporate security policy in the course of their normal work; and minimize the damage from security incidents and malfunctions and learn from such incidents. This section provides templates for Information Security standards that are required to comply with ISO Personnel Security objectives and support the objectives established in the Acceptable Use Policy, Security Awareness Policy, and Threat Assessment and Monitoring Policy.<br>
ISO 17799 defines Personnel Security objectives to reduce risks of human error, theft, fraud, or misuse of facilities; ensure that users are aware of information security threats and concerns, and are equipped to support the corporate security policy in the course of their normal work; and minimize the damage from security incidents and malfunctions and learn from such incidents. This section provides templates for Information Security standards that are required to comply with ISO Personnel Security objectives and support the objectives established in the Acceptable Use Policy, Security Awareness Policy, and Threat Assessment and Monitoring Policy.<br>
<br>
<br>
:1. [[Sample Internet Acceptable Use Policy:|'''Sample ISO Internet Acceptable Use Standard''']]<br>
:'''1.''' [[Sample Internet Acceptable Use Policy:|'''Sample ISO Internet Acceptable Use Standard''']]<br>
:The Internet Acceptable Use Standard is required to comply with ISO Personnel Security objectives and builds on the objectives established in the Acceptable Use Policy by providing specific instructions and requirements on the proper and appropriate business use of Internet resources.<br>
:The Internet Acceptable Use Standard is required to comply with ISO Personnel Security objectives and builds on the objectives established in the Acceptable Use Policy by providing specific instructions and requirements on the proper and appropriate business use of Internet resources.<br>
<br>
<br>
:2. [[Sample Electronic Mail Acceptable Use Standard:|'''Sample ISO Electronic Mail Acceptable Use Standard''']]<br>
:'''2.''' [[Sample Electronic Mail Acceptable Use Standard:|'''Sample ISO Electronic Mail Acceptable Use Standard''']]<br>
:The Electronic Mail Acceptable Use Standard is required to comply with ISO Personnel Security objectives and builds on the objectives established in the Acceptable Use Policy by providing specific instructions and requirements on the proper and appropriate business use of electronic mail resources.<br>
:The Electronic Mail Acceptable Use Standard is required to comply with ISO Personnel Security objectives and builds on the objectives established in the Acceptable Use Policy by providing specific instructions and requirements on the proper and appropriate business use of electronic mail resources.<br>
<br>
<br>
:3. [[Sample Telecommunication Acceptable Use Standard:|'''Sample ISO Telecommunications Acceptable Use Standard''']]<br>
:'''3.''' [[Sample Telecommunication Acceptable Use Standard:|'''Sample ISO Telecommunications Acceptable Use Standard''']]<br>
:The Telecommunications Acceptable Use Standard is required to comply with ISO Personnel Security objectives and builds on the objectives established in the Acceptable Use Policy by providing specific instructions and requirements on the proper and appropriate business use of telecommunications resources.<br>
:The Telecommunications Acceptable Use Standard is required to comply with ISO Personnel Security objectives and builds on the objectives established in the Acceptable Use Policy by providing specific instructions and requirements on the proper and appropriate business use of telecommunications resources.<br>
<br>
<br>
:4. [[Sample Software Acceptable Use Standard:|'''Sample ISO Software Acceptable Use Standard''']]<br>
:'''4.''' [[Sample Software Acceptable Use Standard:|'''Sample ISO Software Acceptable Use Standard''']]<br>
:The Software Acceptable Use Standard is required to comply with ISO Personnel Security objectives and builds on the objectives established in the Acceptable Use Policy by providing specific instructions and requirements on the proper and appropriate business use of Company software.<br>
:The Software Acceptable Use Standard is required to comply with ISO Personnel Security objectives and builds on the objectives established in the Acceptable Use Policy by providing specific instructions and requirements on the proper and appropriate business use of Company software.<br>
<br>
<br>
:5. [[Sample Misuse Reporting Standard:|'''Sample ISO Misuse Reporting Standard''']]<br>
:'''5.''' [[Sample Misuse Reporting Standard:|'''Sample ISO Misuse Reporting Standard''']]<br>
:The Misuse Reporting Standard is required to comply with ISO Personnel Security objectives and builds on the objectives established in the Acceptable Use Policy by providing specific instructions and requirements for reporting misuse of electronic communications systems and violations to the Acceptable Use Policy and its associated standards.<br>
:The Misuse Reporting Standard is required to comply with ISO Personnel Security objectives and builds on the objectives established in the Acceptable Use Policy by providing specific instructions and requirements for reporting misuse of electronic communications systems and violations to the Acceptable Use Policy and its associated standards.<br>
<br>
<br>
:6. [[Sample Management Security Awareness Standard:|'''Sample ISO Management Security Awareness Standard''']]<br>
:'''6.''' [[Sample Management Security Awareness Standard:|'''Sample ISO Management Security Awareness Standard''']]<br>
:The Management Security Awareness Standard is required to comply with ISO Personnel Security objectives and builds on the objectives established in the Security Awareness Policy by providing specific instructions and requirements on security awareness education and training for the management team.<br>
:The Management Security Awareness Standard is required to comply with ISO Personnel Security objectives and builds on the objectives established in the Security Awareness Policy by providing specific instructions and requirements on security awareness education and training for the management team.<br>
<br>
<br>
:7. [[Sample New Hire Security Awareness Standard:|'''Sample ISO New Hire Security Awareness Standard''']]<br>
:'''7.''' [[Sample New Hire Security Awareness Standard:|'''Sample ISO New Hire Security Awareness Standard''']]<br>
:The New Hire Security Awareness Standard is required to comply with ISO Personnel Security objectives and builds on the objectives established in the Security Awareness Policy by providing specific instructions and requirements on security awareness education and training for newly hired employees.<br>
:The New Hire Security Awareness Standard is required to comply with ISO Personnel Security objectives and builds on the objectives established in the Security Awareness Policy by providing specific instructions and requirements on security awareness education and training for newly hired employees.<br>
<br>
<br>
:8. [[Sample Third Party Security Awareness Standard:|'''Sample ISO Third Party Security Awareness Standard''']]<br>
:'''8.''' [[Sample Third Party Security Awareness Standard:|'''Sample ISO Third Party Security Awareness Standard''']]<br>
:The Third Party Security Awareness Standard is required to comply with ISO Personnel Security objectives and builds on the objectives established in the Security Awareness Policy by providing specific instructions and requirements on security awareness education and training for third party personnel.<br>
:The Third Party Security Awareness Standard is required to comply with ISO Personnel Security objectives and builds on the objectives established in the Security Awareness Policy by providing specific instructions and requirements on security awareness education and training for third party personnel.<br>
<br>
<br>
:9. [[Sample Ongoing Security Awareness Standard:|'''Sample ISO Ongoing Security Awareness Standard''']]<br>
:'''9.''' [[Sample Ongoing Security Awareness Standard:|'''Sample ISO Ongoing Security Awareness Standard''']]<br>
:The Ongoing Security Awareness Standard is required to comply with ISO Personnel Security objectives and builds on the objectives established in the Security Awareness Policy by providing specific instructions and requirements on ongoing security awareness education and training for employees.<br>
:The Ongoing Security Awareness Standard is required to comply with ISO Personnel Security objectives and builds on the objectives established in the Security Awareness Policy by providing specific instructions and requirements on ongoing security awareness education and training for employees.<br>
<br>
<br>
:10. [[Sample Security Awareness Accessibility Standard:|'''Sample ISO Security Awareness Accessibility Standard''']]<br>
:'''10.''' [[Sample Security Awareness Accessibility Standard:|'''Sample ISO Security Awareness Accessibility Standard''']]<br>
:The Security Awareness Accessibility Standard is required to comply with ISO Personnel Security objectives and builds on the objectives established in the Security Awareness Policy by providing specific instructions and requirements for ensuring appropriate access to the Information Security Program Charter and associated policies and standards.<br>
:The Security Awareness Accessibility Standard is required to comply with ISO Personnel Security objectives and builds on the objectives established in the Security Awareness Policy by providing specific instructions and requirements for ensuring appropriate access to the Information Security Program Charter and associated policies and standards.<br>
<br>
<br>
:11. [[Sample Incident Response Standard:|'''Sample ISO Incident Response Standard''']]<br>
:'''11.''' [[Sample Incident Response Standard:|'''Sample ISO Incident Response Standard''']]<br>
:The Incident Response Standard is required to comply with ISO Personnel Security objectives and builds on the objectives established in the Threat Assessment and Monitoring Policy by providing specific requirements for developing and exercising formal plans, and associated metrics, for responding to security incidents and intrusions.<br>
:The Incident Response Standard is required to comply with ISO Personnel Security objectives and builds on the objectives established in the Threat Assessment and Monitoring Policy by providing specific requirements for developing and exercising formal plans, and associated metrics, for responding to security incidents and intrusions.
<br>
</blockquote>

Latest revision as of 12:54, 10 April 2007

Personnel Security

Application owners grant legitimate users system access necessary to perform their duties; security personnel enforce access rights in accordance with institution standards. Because of their internal access levels and intimate knowledge of financial institution processes, authorized users pose a potential threat to systems and data. Employees, contractors, or third-party employees can exploit their legitimate computer access for malicious, fraudulent, or economic reasons. Additionally, the degree of internal access granted to some users increases the risk of accidental damage or loss of information and systems.

Risk exposures from internal users include:

  • Altering data,
  • Deleting production and back-up data,
  • Disrupting systems,
  • Destroying systems,
  • Misusing systems for personal gain or to damage the institution,
  • Holding data hostage, and
  • Stealing strategic or customer data for corporate espionage or fraud schemes.


Background Checks and Screening

Financial institutions should have a process to verify job application information on all new employees. The sensitivity of a particular job or access level may warrant additional background and credit checks. Institutions should verify that contractors are subject to similar screening procedures.

Typically, the minimum verification considerations include:

  • Character references;
  • Confirmation that the prospective employee was never convicted of a criminal offense, as detailed in 12 USC 1829;
  • Confirmation of prior experience, academic record, and professional qualifications; and
  • Confirmation of identity from government issued identification.


After employment, managers should remain alert to changes in employees’ personal circumstances that could increase incentives for system misuse or fraud.

Agreements: Confidentiality, Non-Disclosure, and Authorized Use

Financial institutions should protect the confidentiality of information about their customers and organization. A breach in confidentiality could disclose competitive information, increase fraud risk, damage the institution’s reputation, violate customer privacy and associated rights, and violate regulatory requirements. Confidentiality agreements put all parties on notice that the financial institution owns its information, expects strict confidentiality, and prohibits information sharing outside of that required for legitimate business needs. Management should obtain signed confidentiality agreements before granting new employees and contractors access to information technology systems.

Authorized-use agreements are discussed in the “Access Rights Administration” section of this booklet.

Job Descriptions

Job descriptions, employment agreements, and policy awareness acknowledgements increase accountability for security. Management can communicate general and specific security roles and responsibilities for all employees within their job descriptions. Management should expect all employees, officers, and contractors to comply with security and acceptable-use policies and protect the institution’s assets, including information. The job descriptions for security personnel should describe the systems and processes they will protect and the control processes for which they are responsible. Management can take similar steps to ensure contractors and consultants understand their security responsibilities as well.

Training

Financial institutions need to educate users regarding their security roles and responsibilities. Training should support security awareness and strengthen compliance with security policies, standards, and procedures. Ultimately, the behavior and priorities of senior management heavily influence the level of employee awareness and policy compliance, so training and the commitment to security should start with senior management. Training materials for desktop and workstation users would typically review the acceptable-use policy and include issues like desktop security, log-on requirements, password administration guidelines, etc. Training should also address social engineering and the policies and procedures that protect against social engineering attacks. Many institutions integrate a signed security awareness agreement along with periodic training and refresher courses.

Personnel Security References

ISO 17799 defines Personnel Security objectives to reduce risks of human error, theft, fraud, or misuse of facilities; ensure that users are aware of information security threats and concerns, and are equipped to support the corporate security policy in the course of their normal work; and minimize the damage from security incidents and malfunctions and learn from such incidents. This section provides templates for Information Security standards that are required to comply with ISO Personnel Security objectives and support the objectives established in the Acceptable Use Policy, Security Awareness Policy, and Threat Assessment and Monitoring Policy.

1. Sample ISO Internet Acceptable Use Standard
The Internet Acceptable Use Standard is required to comply with ISO Personnel Security objectives and builds on the objectives established in the Acceptable Use Policy by providing specific instructions and requirements on the proper and appropriate business use of Internet resources.


2. Sample ISO Electronic Mail Acceptable Use Standard
The Electronic Mail Acceptable Use Standard is required to comply with ISO Personnel Security objectives and builds on the objectives established in the Acceptable Use Policy by providing specific instructions and requirements on the proper and appropriate business use of electronic mail resources.


3. Sample ISO Telecommunications Acceptable Use Standard
The Telecommunications Acceptable Use Standard is required to comply with ISO Personnel Security objectives and builds on the objectives established in the Acceptable Use Policy by providing specific instructions and requirements on the proper and appropriate business use of telecommunications resources.


4. Sample ISO Software Acceptable Use Standard
The Software Acceptable Use Standard is required to comply with ISO Personnel Security objectives and builds on the objectives established in the Acceptable Use Policy by providing specific instructions and requirements on the proper and appropriate business use of Company software.


5. Sample ISO Misuse Reporting Standard
The Misuse Reporting Standard is required to comply with ISO Personnel Security objectives and builds on the objectives established in the Acceptable Use Policy by providing specific instructions and requirements for reporting misuse of electronic communications systems and violations to the Acceptable Use Policy and its associated standards.


6. Sample ISO Management Security Awareness Standard
The Management Security Awareness Standard is required to comply with ISO Personnel Security objectives and builds on the objectives established in the Security Awareness Policy by providing specific instructions and requirements on security awareness education and training for the management team.


7. Sample ISO New Hire Security Awareness Standard
The New Hire Security Awareness Standard is required to comply with ISO Personnel Security objectives and builds on the objectives established in the Security Awareness Policy by providing specific instructions and requirements on security awareness education and training for newly hired employees.


8. Sample ISO Third Party Security Awareness Standard
The Third Party Security Awareness Standard is required to comply with ISO Personnel Security objectives and builds on the objectives established in the Security Awareness Policy by providing specific instructions and requirements on security awareness education and training for third party personnel.


9. Sample ISO Ongoing Security Awareness Standard
The Ongoing Security Awareness Standard is required to comply with ISO Personnel Security objectives and builds on the objectives established in the Security Awareness Policy by providing specific instructions and requirements on ongoing security awareness education and training for employees.


10. Sample ISO Security Awareness Accessibility Standard
The Security Awareness Accessibility Standard is required to comply with ISO Personnel Security objectives and builds on the objectives established in the Security Awareness Policy by providing specific instructions and requirements for ensuring appropriate access to the Information Security Program Charter and associated policies and standards.


11. Sample ISO Incident Response Standard
The Incident Response Standard is required to comply with ISO Personnel Security objectives and builds on the objectives established in the Threat Assessment and Monitoring Policy by providing specific requirements for developing and exercising formal plans, and associated metrics, for responding to security incidents and intrusions.