Employee Security Controls

CS5493(7493)

Contracts

• Employment contract– Accompanying job responsibility description

• Non-Disclosure Agreement• Acceptable Usage Policy• Service Level Agreements

Employee Controls

• Things to consider when hiring:– Credit check– Background check– Drug testing– Lie detector test

Employee Controls

• All of the aforementioned controls are intrusive.

• The employee or candidate must be properly informed and must agree.

• Give them an opportunity to make any disclosures.

Employee controls

• Credit check – relatively inexpensive compared to the other listed alternatives.

Employee controls

• Background check– Resume verification– Job history verification– Criminal history check– References

Employee Controls

• When conducting a job history check, one can contact former employers

• Former employers are allowed to disclose information that is not protected by law, is accurate, and truthful.

Employe Controls

• Drug testing• Lie detector testExpensive to administer, not required for all

employees.

Employee Controls

• Separation of Duties

Employee Controls

• Separation of Duties• Need-to-Know

Employee Controls

• Separation of Duties• Need-to-Know• Job Rotation

Employee Controls

• Separation of Duties• Need-to-Know• Job Rotation• Vacations

Employee Controls

• Separation of Duties• Need-to-Know• Job Rotation• Vacations• Audits/Reviews

Separation of Duties

• This prevents someone from overseeing their own work: reduces errors and fraud.

Separation of Duties

• The people writing checks to vendors cannot be the same people who make the orders and establish vendor contracts.

Need-to-Know

• Employees will be given access to the information required for them to perform their duties.

Need-to-Know

• Reduces the possibility of improper disclosure of information.

Job Rotation

• Separation of duties and need-to-know can be defeated by collusion. Job Rotation is a strategy to prevent collusion.

Job Rotation

• Makes it possible to track which users were authorized to do what and when.

• Provides redundancy in job positions.• Enhances human capitol.

Vacations

• Vacations are important for determining if your operation can function properly while someone is away.

• A dishonest employee may be hiding something and fearful of ever leaving their post.

Audits/Reviews

• Employees should be reviewed.– Usually annually.

Audits/Reviews

• Employees should be reviewed.• If an employee is not following security

controls, find out why.

Audits/Reviews

• Employees should be reviewed.• If an employee is not following security

controls, find out why.– Could be out of ignorance

Audits/Reviews

• Employees should be reviewed.• If an employee is not following security

controls, find out why.– Could be out of ignorance– Could be deliberate deception

Disclosure

• Employees need to know why Employee-Controls are necessary.

Disclosure

• Employees need to know why Employee-Controls are necessary.– For example, explain the necessity of need-to-

know

Disclosure

• Employees need to know why Employee-Controls are necessary.– Explain the necessity of need-to-know– Employees can be disgruntled if they don’t know

why they are uninformed about some issues

Exit Interviews

• Create a record of why an employee leaves.

Exit Interviews

• Make a checklist of actions – Collect physical access items: keys, keycards, etc.– Close accounts– Notify vendors, contractors, business partners,

helpdesk, etc (create a list of contacts).