IT Security Management Personnel Security Awareness, Training and Education Learning Objectives After completing this chapter, you should be able to Explain standards for staffing the security function Explain employment policies and practices Explain the need for personnel security Explain the principles of personnel security and identify methods to implement personnel security Explain the purpose of security awareness, training and education and identify various possible delivery methods for security awareness programs J . H. Abawajy IT Security Management Slide#: 2 Background A companys existence could depend on the integrity of its employees. Unauthorised release of sensitive information could destroy the corporations reputation or damage it financially. Without security processes in place, an organisations reputation could be destroyed. Partners and customers with system access are also a source of exposure. Human-related IT security risks are a major source of enterprise security vulnerabilities J . H. Abawajy IT Security Management Slide#: 3 The Human Factor Humans are the strongest line of defence. Humans are the Achilles Heel of information security However, they are also the weakest link Why Personnel Security Important? Insider threat is a prime information security concern FBI statistics indicate that 72% of all thefts, fraud, sabotage, and accidents are caused by a companys own employees. Another 15 to 20% comes from contractors and consultants. Only about 5% to 8% is external people. It is one of the most significant and difficult to mitigate security vulnerabilities. J . H. Abawajy IT Security Management Slide#: 5 Why Personnel Security Important? Its true that young workers deeply embrace technology. According to the study: Seven out of ten young workers were aware of their employers IT policies, but violated them regularly. An alarming 80% of young workers indicated they violated IT policies either all or most of the time. Over half, 52%, believed they had no responsibility for securing their work devices or data. J . H. Abawajy IT Security Management Slide#: 6 2 Insider Threat Types Definition: Insider threat is a threat introduced by a trusted entity (e.g., current or former employee, contractor, or business partner) who has or had authorised access to an organization's network, system, or data Generally it can be divided as: Unintentional insider threat Unintentional compromise of sensitive information either by mistake or through attacks such as social engineering. Example: The recent breach at Target Corp. is a malware-laced email phishing attack sent to employees Malicious insider threat Intentional compromise of sensitive information Example: Edward Snowden saga J . H. Abawajy IT Security Management Slide#: 7 Reducing Intentional Insider Threat Involves both technical and non-technical controls Some of these control mechanisms are: Separation of duties Two-person control J ob rotation and Task rotation Mandatory vacation Principle of least privilege Periodic review of logs Using honey tokens J . H. Abawajy IT Security Management Slide#: 8 Personnel Security Controls J . H. Abawajy IT Security Management Slide#: 9 Unintentional Insider Threat Unintentional insider threat associated with personnel is due to Lack of organisational policy awareness or failure to adhere to it Majority of attacks (e.g., virus & social engineering) feed on employees' lack of knowledge about security. Advances in size and miniaturisation of IT Can be handled by Security awareness, training and education Security as part of performance evaluation J . H. Abawajy IT Security Management Slide#: 10 Reducing Unintentional Insider Threat Reducing accidental security breaches involves both technical and non-technical controls Security Education, Training, and Awareness (SETA) are example of non-technical control measures: Improving security awareness of the need to protect system resources Developing skills and knowledge (i.e., security training) so computer users can perform their jobs more securely Building in-depth knowledge (i.e., security education) to design, implement, or operate security programs for organisations and systems. J . H. Abawajy IT Security Management Slide#: 11 Purposes of SETA They are preventative measures SETA is generally the responsibility of the CISO Build intentions to adhere to enterprise technology rules and best practices. Builds an in-depth knowledge base to design, implement, or operate security programs for organizations and systems Develops skills and knowledge so that users can perform their jobs using IT systems more securely Improves awareness of the need to protect system resources 3 Information Security Awareness IT Security Education Goal Most basic level of SETA Used for employees who are new or unskilled Gets employees to focus on security Least common, but extremely effective Delivery methods Get the word out with mugs, t-shirts, posters, banners, conferences, newsletters, bulletin boards security alerts (email, social media, blogs, etc.), classes, seminars, screen lockers, emails, games, etc. to reach employees Avoid boring staff prevent tune out Refrain from overloading users and from using technical jargon; speak the language the users understand. J . H. Abawajy IT Security Management Slide#: 13 Information Security Training IT Security Training Goal Intermediate level of SETA To provide detailed information and hands-on instruction to give skills to users to perform their duties securely Management can develop customised in-house training or outsource the training program Delivery Methods One-on-One Method, Formal Class Computer-Based Training User Support Groups On The J ob Training Self-Study Distance learning/ Web Seminars Keep in mind that Do not treat staff as equal and take into account the level of technical expertise (novice, intermediate, and advanced) and functional background (general user, managerial user, and technical user). Make it fun to maximize success rate J . H. Abawajy IT Security Management Slide#: 14 Information Security Education IT Security Education Goal Highest level of SETA Used for employees in highly technical or skilled positions that demand greater information security Delivery Methods When formal education for individuals in security is needed, an employee can identify curriculum available from local institutions of higher learning or continuing education A number of universities have formal coursework in information security J . H. Abawajy IT Security Management Slide#: 15 J . H. Abawajy IT Security Management Slide#: 16 Comparative SETA Framework Evaluation and Performance Criteria There is a measured improvement in employee awareness of system security principles and performance of duties in a secure manner. Examples include decreases in failed access attempts, password failures and help desk password resets. J . H. Abawajy IT Security Management Slide#: 17 Personnel Security J . H. Abawajy IT Security Management Slide#: 18 Employment Policy and Hiring Practices and Staffing the Security Function 4 Security Risk Posed By Personnel Personnel of an organinsation may include regular (full-time or part-time) staff employees, contractors, consultants or temporary workers. Current employees (Full-Time and Part-Time) pose perhaps the greatest risk in terms of access and potential damage to critical information systems. Former employees often retain sufficient access to the organisation information resources directly -- through "backdoors" -- or indirectly through former associates Departing employee, who has just accepted a position with a major competitor, may have access to trade secrets that are the foundation of the corporations success. New employees ethical outlook is unknown to the company. J . H. Abawajy IT Security Management Slide#: 19 Security Risk Posed By Personnel Contractors, Partners, Consultants and Temporary Workers Often have highly privileged access to to extremely sensitive and confidential information. They are often not subjected to the same screening and background checks. the contractual obligations or general policies that govern other employees This increases the risk of information security breaches. A lesser degree of loyalty to the firm or agency would be anticipated. Temporary workers face lower wages, fewer benefits, and less job security. J . H. Abawajy IT Security Management Slide#: 20 Staffing the Security Function Goal To improve the IT security staffing discipline Mechanism - Learn more about position requirements and qualifications for both IT security positions and relevant IT positions Information security professional credentials such as CISSP Grant the information security function (and CISO) an appropriate level of influence and prestige Develop an information security organisational staffing plan When hiring information security professionals at all levels, organisational, behavioral and information security concepts and knowledge are desirable. J . H. Abawajy IT Security Management Slide#: 21 Staffing Process Goal To integrate information security into the hiring process Mechanism When advertising open positions, omit the elements of the job description that describe access privileges Monitoring and nondisclosure agreements must be made a part of the employment contracts. Apply employment contingent upon agreement where required New employees should receive, as part of their orientation, an extensive information security briefing J . H. Abawajy IT Security Management Slide#: 22 Vetting Personnel Goal to determine if a potential employee is trustworthy Mechanism Verify identity and personal information Verify professional credentials, previous employment and education Verify character of individual; may include Interview with individual - avoid candidates entering secure and restricted sites and limit the information provided to the candidates on the access rights of the position Checking provided references - A background check (may include criminal records) should be conducted before making an offer to any candidate J . H. Abawajy IT Security Management Slide#: 23 Managing Temporary Employee Risks Goal Minimising IT security risk posed by temporary workers Mechanism Although they have access to company information, they are not usually held accountable for their actions Access to information should be limited to what is necessary to perform their duties They should be made to follow good security practices An appropriate summary of the information security policies must be formally delivered to, and accepted by, all temporary staff, prior to their starting any work for the organisation. J . H. Abawajy IT Security Management Slide#: 24 5 Managing Contractor Risks Goal Minimising IT security risk posed by Contractors Mechanism Professional contractors may require access to virtually all areas of the organisation to do their jobs. However, service contractors do not. Thus, service contractors should be escorted into and out of the secure facility; Always require verification for services Ensure there is advance notice for scheduling, rescheduling or cancellation of maintenance visits. J . H. Abawajy IT Security Management Slide#: 25 Managing Risk Posed by Consultants Goal Minimising IT security risk posed by Consultants Mechanism Apply the principle of least privilege when working with consultants. Special requirements (e.g., information or facility access requirements) should be integrated into the contract They must be prescreened, escorted, and subjected to nondisclosure agreements. J . H. Abawajy IT Security Management Slide#: 26 Business Partners Goal Businesses sometimes engage in strategic alliances with other organizations to exchange information, integrate systems, or enjoy some other mutual advantage Mechanism A prior business agreement must specify the levels of exposure that both organizations are willing to tolerate Nondisclosure agreements are an important part of any such collaborative effort J . H. Abawajy IT Security Management Slide#: 27 Termination Issues Goal When an employee leaves an organisation, the following tasks must be performed: Mechanism Two methods for handling employee out processing, depending on the employees reasons for leaving, are: Hostile departures Friendly departures Access to the organisations systems must be disabled and keycard access revoked; Personal effects removed from the premises and escorted from the premises, All removable media must be collected, hard drives must be secured File cabinet locks and office door locks must be changed J . H. Abawajy IT Security Management Slide#: 28 Homework Questions What measure would organisations can have in place to ensure employee mistakes don't become a larger problem? Briefly discuss the fundamental technology controls to mitigate insider risks; Briefly discuss best practices in identifying and responding to insider threats. Briefly explain, from your perspective, what attention the Edward Snowden saga brought to the topic of insiders threat. What are he characteristics of the unintentional insider? Why security awareness, training and education are so important? J . H. Abawajy IT Security Management Slide#: 29 J . H. Abawajy IT Security Management Slide#: 30 End of Lecture Questions?