security planning susan lincke organizing personnel security

Security PlanningSusan Lincke

Organizing Personnel Security

Security Planning: An Applied Approach | 04/19/23 | 2

Objectives

The students should be able to:

Define and describe security awareness, security training, security education.

Apply segregation of duties to information technology with regard to a business.

Plan allocation of security responsibility, documentation and training.

Describe good practices for hiring and terminating an employee.


Personnel are the weak link: Social Engineering: phishing, pharming, etc.

Issues to look at include:

Security Issues with Personnel

Background checks

Skills mgmt.

Signed documents

Segregation of Duties

Job descriptions

Need-to-know

Contracts

Policies/procedures

Config Mgmt.

Security awareness & training

Job skill training

Fraud reporting

Return equipment

Disable accounts


PERSONNEL-FRAUD ISSUES


Documentation:

Configuration management

Change control

Training


Workbook: Personnel SecurityPersonnel Threats

Threat Role Liability or Cost if threat occurs

Divulging private info

Employee FERPA violation = loss of federal funds

Skim payment cards

Salesperson PCI DSS, state breach violation

Grant abuse Employee with grant

Loss of funds from US granting agencies

Abuse of student

Employee, student, visitor

Bad press – loss in reputation

May incite lawsuit


Fraud Control TypesTime ofFraud

Detective Controls:Finding fraud when it occurs includes:Anonymous hotline*->Surprise audits*->Monitoring activities->Logged transactionsEmployee badgesComplaint or fraud investigationMandatory vacationsJob rotation

After Fraud Before Fraud:***BEST***

Preventive Controls**:Preventing fraud includes:Segregation of DutiesSecurity rolesEthical cultureInternal controls: Physical & data security Need-to-knowSigned documentsFraud, security awareness trainingEmployee Support ProgramsBackground checks

CorrectiveControls:Punishment->Amend controlsFidelity InsuranceEmployee Bonding


Security Roles

Chief Information Security OfficerData Owner, Process Owner: Allocates permissions, defines safe processes.Info Security Steering Committee: Management with knowledge of business and/or security functions defines securityIncident Response Management/Team: Decides or performs functions related to incident response.Security Analyst, Security Administrator: Security staff to design or implement security functions.



Origination Verification

Authorization Distribution

Double-checks

Approves

Acts on


OrganizationalSegregation of Duties

DevelopmentSystem/Network Admin

Business

Audit

Security/Compliance

QualityControl

advises

deliversS/W to

serves

tests or ensuresquality of S/W or

production

advises &monitors forsecurity

Ensures procedures are professionally done


IT Segregation of Duties

DevelopmentEnvironment:

Application programmerSystems programmer

Production EnvironmentComputer OperatorSystem AdministratorNetwork AdministratorHelp Desk

Test EnvironmentQuality Assurance

SecurityControl GroupSecurity Admin

Requirements/DesignSystems AnalystDatabase Administrator

UserEnd UserData Entry


Segregation of Duties Controls

Transaction AuthorizationAsset inventory & custodyData owner’s responsibility is specific and documented • Allocates authorization according to least-privilege and

segregation of duties

Security Administrator implements physical, system & application security• Authorization forms• User authorization tables: who can view/update/delete data at

transaction or field level


Central repository = electronic library document management system.

Retains Important documents •Software development teams: requirements, design , test documents, and program code•Project, audit and security plans.

Maintains history: holds a snapshot of different versions for each document, •Any version can be retrieved at any time.

Permits users to:•checkout a document; •edit, review or approve the document; and •check it in with increased version #. The reason for revision and author is recorded and later available as version history.

Tools to Control Documents:Configuration Management


Change management helps to create different configuration management versions.

Maintains state of a change proposal:

1.Starts with a Change Request may be

2.analyzed and approved by management for implementation. The change is then

3.implemented (e.g., programmed or acted upon) and then

4.tested and approved, when the change is ready for deployment.

Documentation for each of these stages is maintained in a change management or configuration management repository,

Emails may notify stakeholders of changes of status.

Tools to Control Documents:Change Management


Security Awareness & Training

Training covers what is expected of employeesWhy is policy in place?How is policy enforced?

Training may be implemented as:New employee orientationCompany newslettersDetermine effectiveness by interviewing employees


Awareness Function:Types of Security TrainingAwareness:

Create security-conscious workforce

Employees, partners & vendors

Newsletters, surveys, quizzes, video training, forums, posters

Training:

Necessary skills for a particular position

HR, legal, middle or top mgmt, IT, programmers

Workshops, conferences

Education: High level skills

High-skilled professions: audit, security admin/mgmt,

Risk mgmt…

Organized and gradual development: teaching & coaching


Awareness Training

Signed employment agreements, video, memos, emails, posters, seminars and training classesA combination of parallel approachesKnowledge areas:• Back-up work-related files• Choosing passwords and avoiding exposure• Avoiding email and web viruses• Recognizing social engineers• Recognizing & reporting security incidents• Securing electronic & paper media against theft & exposure• Spotting malware that could lead to identity theft & desktop spying

Metrics should be established to determine effectiveness of change in behavior and workforce attitude


Security Certification(s)

Minimum 1-year Requirement

Minimum 3-year

Requirement

CISSP, CISA, CISM, CRISC, CEH

20 120

SSCP, CAP, HCISPP 10 60

Security+ - 50

Other CompTIA certificates

- 20-75

Security Certificates & Continuing Education


Other Personnel Preventive Controls

Training and written policies and procedures

Ethical Culture: Mgmt must live, mentor, insist on ethical behavior.

Employee Support Programs: Addresses personal/financial problems before they are unmanageable.

Background checks: For handlers of PII.

Need to Know/Least Privilege


Detective & Corrective Controls

Detective/Deterrence ControlsFraud reporting or hotline

Logged transactions

Internal Audit Dept and Surprise Audits

Mandatory vacations or job rotation.

Corrective ControlsEmployee Bonding: Insurance protects against losses due to theft, mistakes and neglect.

Fidelity Insurance: Insurance against fraud or employee misdeeds is useful for rare but expensive risks


Workbook: Personnel SecurityPersonnel Controls

Threat Role ControlDivulging private info

Employee

FERPA training: annual quiz review, new employee training

Grant abuse

Employee with grant

Financial controls: employee and administrator and financial office check


Workbook: Personnel SecurityResponsibility of Security to Roles

Role ResponsibilityRegistrar

Establish FERPA trainingData Owner: student scholastic and financial informationOversee FERPA adherence in Registration dept.

Admin. Attend FERPA trainingRetain locked cabinets with student info

Security Admin

Monitor logs, enable/disable permissions,rebuild computers after malware infection, collect security metrics for incident response, ...


Workbook: Personnel SecurityRequirements: Training, Documentation

Role Requirements: Training, Documentation

Registrar

FERPA experience in hiring.Training every 3-5 years at

national conference or workshop

Employee

handling student

data

University FERPA documentation, FERPA web page, annual quizzes, sign

acceptable use policy


PERSONNEL ISSUES

Hiring

Contracts

Termination


Personnel Issues

Background checks can reduce fraud• More secure position=more checking required• A standard or procedure is usefulTraining & signed contracts Track and document theft• Minor incidents could add up to a major pattern problemEmail can be monitored for potential problem employees• Assuming policy is in place and employees are aware


Employee Hiring

Document security responsibilitiesScreen candidates for sensitive positionsHave signed agreements regarding • Job responsibilities, conditions of employment• Security responsibilities (incl. copyright)• Confidentiality agreement•Indicate corrective actions taken if security requirements not followed


New Employee Orientation

New employee signs Privacy Policy document:Has read and agreed to follow security policiesConform to laws and regulationsPromise to not divulge logon IDs and passwordsCreate quality passwordsLock terminal when not presentReport suspected violations of securityMaintain good physical security (locked doors, private keys)Use IT resources only for authorized business purposes


Signed Agreements

Code of Conduct: Describes general ethical behavior requirementsAcceptable Use Policy: Addresses which and how company data is accessedPrivacy Policy: Defines behavior re confidential info: • password policies, physical security, locked terminals, and

reporting security issues.Service Level Agreement: Contract between a customer and provider.


Third Party Agreements

Define information security policyDefine procedures to implement policyDeploy controls to protect against malicious softwarePublish restrictions on copying/distributing informationImplement procedures to determine whether assets were compromisedEnsure return or destruction of data at end of job


A Service Level Agreement (SLA) is a contract to outsource IT or other sensitive service•Can including networking, business continuity, security or information security

An SLA ensures levels of quality for performance, security, legal compliance, by defining: Introduction and Scope of Work Security Performance, Tracking and Reporting Termination of Contract Problem Management Schedules and General Compensation Signatures Customer Duties and Responsibilities Warranties and Remedies

Intellectual Property Rights and Confidential Information Legal Compliance and Resolution of Disputes

Service Level Agreement (SLA)


Employee Termination

Employees about to leave or who have left the organization cause 70% of internal information theft

Unless continued relationship expected:Disable all corporate accounts and access permissions Return equipmentRevoke accessReturn all access keys, ID cards and budgetsNotify all staff and security personnelArrange final pay Perform termination interview


Role ResponsibilityChief Info Security Officer: John Doe

Lead Info Sec. Steering Committee and incident response teams.Lead efforts to develop security policy, security workbook.Manage security projects, budgets, staff.Lead security training for required staff on FERPA, PCI DSS, HIPAA.Maintain security program: metrics, risk, testing, and policy revisions.

Personnel: Alice Strong

Participate in Information Security Steering Committee.Tracks and documents theft (to determine pattern).Prepare/manage contracts with Third Party contracts, establishing expectations relative to security.At hiring: Perform background check for persons handling confidential info, major assets or interfacing with students. Write job descriptions considering segregation of duties, security responsibilities.Any Employee:Signs Acceptable Use Policy; Takes security awareness training including compliance, policy training.At termination: Revoke computer authorization, return badges/keys and equipment, notify appropriate staff.

Responsibility of Security to Roles


Question

Which of the following duties can be performed by one person in a well-controlled IS environment?

1. Software Developer and System Administration

2. Database administration and Data Entry

3. System Administrator and Quality Assurance

4. Quality Assurance and Software Developer


Question

Which is MOST important for a successful security awareness program?

1. Technical training for security administrators2. Aligning the training to organization requirements3. Training management for security awareness4. Using metrics to ensure that training is effective


Question

To detect fraud, the BEST type of audit trail to log would be:1. User session logs2. Firewall incidents3. Operating system incidents4. Application transactions


Summary of Personnel Controls

Personnel Hiring Daily Support & Controls

Security Documentation:Policies & Procedures

Configuration Management and Change Management

Vetting new employees Segregation of Duties

Signed Documents Hotline

Job Descriptions Other fraud controls

Training

Controlled departures Contracts and Service Level Agreements


HEALTH FIRST CASE STUDY

Designing Physical Security

Jamie Ramon MDDoctor

Chris Ramon RDDietician

TerryLicensed

Practicing Nurse

PatSoftware Consultant


Workbook: Personnel SecurityStep 1: Define Personnel Threats

Threat Role Liability or Cost if threat occurs

Malpractice

HIPAA violation

Medicare Fraud

Fraud against company


Workbook: Personnel SecurityStep 2: Define Personnel Controls

Threat Role Control

Training?Need to know?Documentation?


Look through other chapters. What requirements do you have for:

Risk? Physical security?Business Continuity? Metrics?Information Security? Governing?Network Security? Incident Response?

Someone has to do the tasks allocated in these chapters.Who will be responsible for each?

How is this documented?How will they be trained?

Allocate Responsibility of Security to Roles


Step 3: Allocate Responsibility of Security to Roles

Role Responsibility

Nurse

Partner

Security Admin


Step 4: Allocate Training, Documentation to Roles

Role Requirements: Training, Documentation

Nurse

Partner

security planning susan lincke organizing personnel security

Documents

security training

security issues

security staff

security analyst

security administrator

security education

personnel security slide

security planning susan