1

J . H. Abawajy IT Security Management Slide#: 1

IT Security Management
Personnel Security
Awareness, Training
and Education
Learning Objectives
After completing this chapter, you should be able to
Explain standards for staffing the security function
Explain employment policies and practices
Explain the need for personnel security
Explain the principles of personnel security and identify
methods to implement personnel security
Explain the purpose of security awareness, training and
education and identify various possible delivery methods
for security awareness programs
J . H. Abawajy IT Security Management Slide#: 2
Background
A companys existence could depend on the
integrity of its employees.
Unauthorised release of sensitive information
could destroy the corporations reputation or
damage it financially.
Without security processes in place, an
organisations reputation could be destroyed.
Partners and customers with system access
are also a source of exposure.
Human-related IT security risks are a major
source of enterprise security vulnerabilities
J . H. Abawajy IT Security Management Slide#: 3
The Human Factor
Humans are the
strongest line of
defence.
Humans are the Achilles Heel of information
security
However, they are
also the weakest link
Why Personnel Security Important?
Insider threat is a prime information security
concern
FBI statistics indicate that 72% of all thefts, fraud,
sabotage, and accidents are caused by a
companys own employees.
Another 15 to 20% comes from contractors and
consultants.
Only about 5% to 8% is external people.
It is one of the most significant and difficult to
mitigate security vulnerabilities.
J . H. Abawajy IT Security Management Slide#: 5
Why Personnel Security Important?
Its true that young workers deeply embrace
technology. According to the study:
Seven out of ten young workers were aware of their
employers IT policies, but violated them regularly.
An alarming 80% of young workers indicated they
violated IT policies either all or most of the time.
Over half, 52%, believed they had no responsibility for
securing their work devices or data.
J . H. Abawajy IT Security Management Slide#: 6
2
Insider Threat Types
Definition: Insider threat is a threat introduced by a
trusted entity (e.g., current or former employee, contractor,
or business partner) who has or had authorised access to
an organization's network, system, or data
Generally it can be divided as:
Unintentional insider threat
Unintentional compromise of sensitive information either by
mistake or through attacks such as social engineering.
Example: The recent breach at Target Corp. is a malware-laced
email phishing attack sent to employees
Malicious insider threat
Intentional compromise of sensitive information
Example: Edward Snowden saga
J . H. Abawajy IT Security Management Slide#: 7
Reducing Intentional Insider Threat
Involves both technical and non-technical
controls
Some of these control mechanisms are:
Separation of duties
Two-person control
J ob rotation and Task rotation
Mandatory vacation
Principle of least privilege
Periodic review of logs
Using honey tokens
J . H. Abawajy IT Security Management Slide#: 8
Personnel Security Controls
J . H. Abawajy IT Security Management Slide#: 9
Unintentional Insider Threat
Unintentional insider threat
associated with personnel is
due to
Lack of organisational policy
awareness or failure to adhere to
it
Majority of attacks (e.g., virus &
social engineering) feed on
employees' lack of knowledge
about security.
Advances in size and
miniaturisation of IT
Can be handled by
Security awareness, training and
education
Security as part of performance
evaluation
J . H. Abawajy IT Security Management Slide#: 10
Reducing Unintentional Insider
Threat
Reducing accidental security breaches involves both
technical and non-technical controls
Security Education, Training, and Awareness (SETA)
are example of non-technical control measures:
Improving security awareness of the need to protect
system resources
Developing skills and knowledge (i.e., security training)
so computer users can perform their jobs more
securely
Building in-depth knowledge (i.e., security education)
to design, implement, or operate security programs for
organisations and systems.
J . H. Abawajy IT Security Management Slide#: 11
Purposes of SETA
They are preventative measures
SETA is generally the responsibility of the CISO
Build intentions to adhere to enterprise
technology rules and best practices.
Builds an in-depth knowledge base to design,
implement, or operate security programs for
organizations and systems
Develops skills and knowledge so that users can
perform their jobs using IT systems more securely
Improves awareness of the need to protect system
resources
3
Information Security Awareness
IT Security Education Goal
Most basic level of SETA
Used for employees who are new or
unskilled
Gets employees to focus on security
Least common, but extremely effective
Delivery methods
Get the word out with mugs, t-shirts, posters,
banners, conferences, newsletters, bulletin
boards security alerts (email, social media,
blogs, etc.), classes, seminars, screen lockers,
emails, games, etc. to reach employees
Avoid boring staff prevent tune out
Refrain from overloading users and from
using technical jargon; speak the language
the users understand.
J . H. Abawajy IT Security Management Slide#: 13
Information Security Training
IT Security Training Goal
Intermediate level of SETA
To provide detailed information and hands-on instruction to give
skills to users to perform their duties securely
Management can develop customised in-house training or
outsource the training program
Delivery Methods
One-on-One Method, Formal Class Computer-Based Training
User Support Groups On The J ob Training Self-Study
Distance learning/ Web Seminars
Keep in mind that
Do not treat staff as equal and take into account the level of technical expertise
(novice, intermediate, and advanced) and functional background (general user,
managerial user, and technical user).
Make it fun to maximize success rate
J . H. Abawajy IT Security Management Slide#: 14
Information Security Education
IT Security Education Goal
Highest level of SETA
Used for employees in highly technical or
skilled positions that demand greater
information security
Delivery Methods
When formal education for individuals in
security is needed, an employee can
identify curriculum available from local
institutions of higher learning or
continuing education
A number of universities have formal
coursework in information security
J . H. Abawajy IT Security Management Slide#: 15
J . H. Abawajy IT Security Management Slide#: 16
Comparative SETA Framework
Evaluation and Performance Criteria
There is a measured improvement in employee
awareness of system security principles and
performance of duties in a secure manner.
Examples include
decreases in failed access attempts,
password failures and
help desk password resets.
J . H. Abawajy IT Security Management Slide#: 17
Personnel Security
J . H. Abawajy IT Security Management Slide#: 18
Employment
Policy and Hiring
Practices and
Staffing the
Security Function
4
Security Risk Posed By Personnel
Personnel of an organinsation may include regular
(full-time or part-time) staff employees, contractors,
consultants or temporary workers.
Current employees (Full-Time and Part-Time) pose
perhaps the greatest risk in terms of access and potential
damage to critical information systems.
Former employees often retain sufficient access to the
organisation information resources directly -- through
"backdoors" -- or indirectly through former associates
Departing employee, who has just accepted a position with
a major competitor, may have access to trade secrets that
are the foundation of the corporations success.
New employees ethical outlook is unknown to the
company.
J . H. Abawajy IT Security Management Slide#: 19
Security Risk Posed By Personnel
Contractors, Partners, Consultants and
Temporary Workers
Often have highly privileged access to to extremely sensitive
and confidential information.
They are often not subjected to
the same screening and background checks.
the contractual obligations or general policies that govern other
employees
This increases the risk of information security breaches.
A lesser degree of loyalty to the firm or agency would be
anticipated.
Temporary workers face lower wages, fewer benefits, and less
job security.
J . H. Abawajy IT Security Management Slide#: 20
Staffing the Security Function
Goal
To improve the IT security staffing discipline
Mechanism - Learn more about position requirements
and qualifications for both IT security positions and
relevant IT positions
Information security professional credentials such as
CISSP
Grant the information security function (and CISO) an
appropriate level of influence and prestige
Develop an information security organisational staffing plan
When hiring information security professionals at all levels,
organisational, behavioral and information security
concepts and knowledge are desirable.
J . H. Abawajy IT Security Management Slide#: 21
Staffing Process
Goal
To integrate information security into the hiring process
Mechanism
When advertising open positions, omit the elements of
the job description that describe access privileges
Monitoring and nondisclosure agreements must be
made a part of the employment contracts. Apply
employment contingent upon agreement where
required
New employees should receive, as part of their
orientation, an extensive information security briefing
J . H. Abawajy IT Security Management Slide#: 22
Vetting Personnel
Goal
to determine if a potential employee is trustworthy
Mechanism
Verify identity and personal information
Verify professional credentials, previous employment and
education
Verify character of individual; may include
Interview with individual - avoid candidates entering secure
and restricted sites and limit the information provided to the
candidates on the access rights of the position
Checking provided references - A background check (may
include criminal records) should be conducted before making
an offer to any candidate
J . H. Abawajy IT Security Management Slide#: 23
Managing Temporary Employee Risks
Goal
Minimising IT security risk posed by temporary workers
Mechanism
Although they have access to company information,
they are not usually held accountable for their actions
Access to information should be limited to what is
necessary to perform their duties
They should be made to follow good security practices
An appropriate summary of the information security
policies must be formally delivered to, and accepted
by, all temporary staff, prior to their starting any work
for the organisation.
J . H. Abawajy IT Security Management Slide#: 24
5
Managing Contractor Risks
Goal
Minimising IT security risk posed by Contractors
Mechanism
Professional contractors may require access to virtually
all areas of the organisation to do their jobs. However,
service contractors do not.
Thus, service contractors should be escorted into and
out of the secure facility;
Always require verification for services
Ensure there is advance notice for scheduling,
rescheduling or cancellation of maintenance visits.
J . H. Abawajy IT Security Management Slide#: 25
Managing Risk Posed by Consultants
Goal
Minimising IT security risk posed by Consultants
Mechanism
Apply the principle of least privilege when
working with consultants.
Special requirements (e.g., information or
facility access requirements) should be
integrated into the contract
They must be prescreened, escorted, and
subjected to nondisclosure agreements.
J . H. Abawajy IT Security Management Slide#: 26
Business Partners
Goal
Businesses sometimes engage in strategic alliances
with other organizations to exchange information,
integrate systems, or enjoy some other mutual
advantage
Mechanism
A prior business agreement must specify the levels
of exposure that both organizations are willing to
tolerate
Nondisclosure agreements are an important part of
any such collaborative effort
J . H. Abawajy IT Security Management Slide#: 27
Termination Issues
Goal
When an employee leaves an organisation, the following tasks must be
performed:
Mechanism
Two methods for handling employee out processing, depending on
the employees reasons for leaving, are:
Hostile departures
Friendly departures
Access to the organisations systems must be disabled and
keycard access revoked;
Personal effects removed from the premises and escorted from
the premises,
All removable media must be collected, hard drives must be
secured
File cabinet locks and office door locks must be changed
J . H. Abawajy IT Security Management Slide#: 28
Homework Questions
What measure would organisations can have in place to ensure
employee mistakes don't become a larger problem?
Briefly discuss the fundamental technology controls to mitigate
insider risks;
Briefly discuss best practices in identifying and responding to
insider threats.
Briefly explain, from your perspective, what attention the Edward
Snowden saga brought to the topic of insiders threat.
What are he characteristics of the unintentional insider?
Why security awareness, training and education are so
important?
J . H. Abawajy IT Security Management Slide#: 29
J . H. Abawajy IT Security Management Slide#: 30
End of Lecture
Questions?