Personnel Security:
Personnel Security
Application owners grant legitimate users system access necessary to perform their duties; security personnel enforce access rights in accordance with institution standards. Because of their internal access levels and intimate knowledge of financial institution processes, authorized users pose a potential threat to systems and data. Employees, contractors, or third-party employees can exploit their legitimate computer access for malicious, fraudulent, or economic reasons. Additionally, the degree of internal access granted to some users increases the risk of accidental damage or loss of information and systems.
Risk exposures from internal users include:
- Altering data,
- Deleting production and back-up data,
- Disrupting systems,
- Destroying systems,
- Misusing systems for personal gain or to damage the institution,
- Holding data hostage, and
- Stealing strategic or customer data for corporate espionage or fraud schemes.
Background Checks and Screening
Financial institutions should have a process to verify job application information on all new employees. The sensitivity of a particular job or access level may warrant additional background and credit checks. Institutions should verify that contractors are subject to similar screening procedures.
Typically, the minimum verification considerations include:
- Character references;
- Confirmation that the prospective employee was never convicted of a criminal offense, as detailed in 12 USC 1829;
- Confirmation of prior experience, academic record, and professional qualifications; and
- Confirmation of identity from government issued identification.
After employment, managers should remain alert to changes in employees’ personal circumstances that could increase incentives for system misuse or fraud.
Agreements: Confidentiality, Non-Disclosure, and Authorized Use
Financial institutions should protect the confidentiality of information about their customers and organization. A breach in confidentiality could disclose competitive information, increase fraud risk, damage the institution’s reputation, violate customer privacy and associated rights, and violate regulatory requirements. Confidentiality agreements put all parties on notice that the financial institution owns its information, expects strict confidentiality, and prohibits information sharing outside of that required for legitimate business needs. Management should obtain signed confidentiality agreements before granting new employees and contractors access to information technology systems.
Authorized-use agreements are discussed in the “Access Rights Administration” section of this booklet.
Job Descriptions
Job descriptions, employment agreements, and policy awareness acknowledgements increase accountability for security. Management can communicate general and specific security roles and responsibilities for all employees within their job descriptions. Management should expect all employees, officers, and contractors to comply with security and acceptable-use policies and protect the institution’s assets, including information. The job descriptions for security personnel should describe the systems and processes they will protect and the control processes for which they are responsible. Management can take similar steps to ensure contractors and consultants understand their security responsibilities as well.
Training
Financial institutions need to educate users regarding their security roles and responsibilities. Training should support security awareness and strengthen compliance with security policies, standards, and procedures. Ultimately, the behavior and priorities of senior management heavily influence the level of employee awareness and policy compliance, so training and the commitment to security should start with senior management. Training materials for desktop and workstation users would typically review the acceptable-use policy and include issues like desktop security, log-on requirements, password administration guidelines, etc. Training should also address social engineering and the policies and procedures that protect against social engineering attacks. Many institutions integrate a signed security awareness agreement along with periodic training and refresher courses.
Personnel Security References
ISO 17799 defines Personnel Security objectives to reduce risks of human error, theft, fraud, or misuse of facilities; ensure that users are aware of information security threats and concerns, and are equipped to support the corporate security policy in the course of their normal work; and minimize the damage from security incidents and malfunctions and learn from such incidents. This section provides templates for Information Security standards that are required to comply with ISO Personnel Security objectives and support the objectives established in the Acceptable Use Policy, Security Awareness Policy, and Threat Assessment and Monitoring Policy.
- 1. Sample ISO Internet Acceptable Use Standard
- The Internet Acceptable Use Standard is required to comply with ISO Personnel Security objectives and builds on the objectives established in the Acceptable Use Policy by providing specific instructions and requirements on the proper and appropriate business use of Internet resources.
- 2. Sample ISO Electronic Mail Acceptable Use Standard
- The Electronic Mail Acceptable Use Standard is required to comply with ISO Personnel Security objectives and builds on the objectives established in the Acceptable Use Policy by providing specific instructions and requirements on the proper and appropriate business use of electronic mail resources.
- 3. Sample ISO Telecommunications Acceptable Use Standard
- The Telecommunications Acceptable Use Standard is required to comply with ISO Personnel Security objectives and builds on the objectives established in the Acceptable Use Policy by providing specific instructions and requirements on the proper and appropriate business use of telecommunications resources.
- 4. Sample ISO Software Acceptable Use Standard
- The Software Acceptable Use Standard is required to comply with ISO Personnel Security objectives and builds on the objectives established in the Acceptable Use Policy by providing specific instructions and requirements on the proper and appropriate business use of Company software.
- 5. Sample ISO Misuse Reporting Standard
- The Misuse Reporting Standard is required to comply with ISO Personnel Security objectives and builds on the objectives established in the Acceptable Use Policy by providing specific instructions and requirements for reporting misuse of electronic communications systems and violations to the Acceptable Use Policy and its associated standards.
- 6. Sample ISO Management Security Awareness Standard
- The Management Security Awareness Standard is required to comply with ISO Personnel Security objectives and builds on the objectives established in the Security Awareness Policy by providing specific instructions and requirements on security awareness education and training for the management team.
- 7. Sample ISO New Hire Security Awareness Standard
- The New Hire Security Awareness Standard is required to comply with ISO Personnel Security objectives and builds on the objectives established in the Security Awareness Policy by providing specific instructions and requirements on security awareness education and training for newly hired employees.
- 8. Sample ISO Third Party Security Awareness Standard
- The Third Party Security Awareness Standard is required to comply with ISO Personnel Security objectives and builds on the objectives established in the Security Awareness Policy by providing specific instructions and requirements on security awareness education and training for third party personnel.
- 9. Sample ISO Ongoing Security Awareness Standard
- The Ongoing Security Awareness Standard is required to comply with ISO Personnel Security objectives and builds on the objectives established in the Security Awareness Policy by providing specific instructions and requirements on ongoing security awareness education and training for employees.
- 10. Sample ISO Security Awareness Accessibility Standard
- The Security Awareness Accessibility Standard is required to comply with ISO Personnel Security objectives and builds on the objectives established in the Security Awareness Policy by providing specific instructions and requirements for ensuring appropriate access to the Information Security Program Charter and associated policies and standards.
- 11. Sample ISO Incident Response Standard
- The Incident Response Standard is required to comply with ISO Personnel Security objectives and builds on the objectives established in the Threat Assessment and Monitoring Policy by providing specific requirements for developing and exercising formal plans, and associated metrics, for responding to security incidents and intrusions.