CMSC 120 INFORMATION ASSURANCE AND SECURITY BSCS 4

CHAPTER 11

SECURITY AND PERSONNEL

At the end of the chapter, the learners should be able to:

1. Describe where and how the information security function should be positioned within
organizations
2. Explain the issues and concerns related to staffing the information security function
3. Enumerate the credentials that information security professionals can earn to gain recognition in
the field
4. Illustrate how an organization’s employment policies and practices can support the information
security effort
5. Identify the special security precautions that must be taken when using contract workers
6. Explain the need for the separation of duties
7. Describe the special requirements needed to ensure the privacy of personnel data

INTRODUCTION

When implementing information security, an organization must first address how to position
and name the security function. Second, the information security community of interest must plan for
the function’s proper staffing or for adjustments to the staffing plan. Third, the IT community of interest
must assess the impact of information security on every IT function and adjust job descriptions and
documented practices accordingly. Finally, the general management community of interest must work
with information security professionals to integrate solid information security concepts into the
organization’s personnel management practices.

To assess the effect that the changes will have on the organization’s personnel management
practices, the organization should conduct a behavioral feasibility study before the implementation
phase—that is, in the analysis phase. The study should include an investigation into the levels of
employee acceptance of change and resistance to it. Employees often feel threatened when an
organization is creating or enhancing an information security program. They may perceive the program
to be a manifestation of a Big Brother attitude, and might have questions such as:

● Why is management monitoring my work or my e-mail?

● Will information security staff go through my hard drive looking for evidence to fire me?
● How can I do my job well now that I have to deal with the added delays of information
security technology?

POSITIONING AND STAFFING THE SECURITY FUNCTION

There are several valid choices for positioning the Information Security department within an
organization. The model commonly used by large organizations places the information security
department within the Information Technology department and usually designates the CISO (chief
information security officer) or CSO (chief security officer) to lead the function. The CISO reports
directly to the company’s top computing executive, or CIO. Such a structure implies that the goals and
objectives of the CISO and CIO are aligned, but this is not always the case. By its very nature, an
information security program can sometimes work at odds with the goals and objectives of the
Information Technology department as a whole. The CIO, as the executive in charge of the
organization’s technology, strives to create efficiency in the availability, processing, and accessing of
company information. Thus, anything that limits access or slows information processing can impede
the CIO’s mission for the entire organization.

Page
Ms. |Olga
1 Llanera Course Facilitator Page | 1
CMSC 120 INFORMATION ASSURANCE AND SECURITY BSCS 4

The CISO’s function is more like that of an internal auditor in that he must direct the
Information Security department to examine data in transmission and storage to detect suspicious
traffic, and examine systems to discover information security faults and flaws in technology, software,
and employees’ activities and processes. These examinations can disrupt the speed at which the
organization’s information is processed and accessed. Because the addition of multiple layers of
security inevitably slows users’ access to information, information security may be viewed by some
employees as a hindrance to the organization’s operations. A good information security program
maintains a careful balance between access and security, and works to educate all employees about the
need for necessary delays to ensure the protection of critical information.

Staffing the Information Security Function

The selection of information security personnel is based on several criteria, some of which are
not within the control of the organization. Consider the fundamental concept of supply and demand.
When the demand for any commodity—for example, a critical technical skill— increases too quickly,
supply initially fails to meet demand. Many future IS professionals seek to enter the security market
by gaining the skills, experience, and credentials they need to meet this demand. In other words, they
enter high-demand markets by changing jobs, going to school, or becoming trained. Until the new
supply reaches the demand level, organizations must pay the higher costs associated with limited
supply. Once the supply meets or exceeds the demand, organizations can become more selective, and
the amount they are willing to pay drops.

Qualifications and Requirements A number of factors influence an organization’s hiring decisions.

Because information security has only recently emerged as a separate discipline, hiring in this field is
complicated by a lack of understanding among organizations about what qualifications an information
security professional should possess. In many organizations, information security teams currently lack
established roles and responsibilities. Establishing better hiring practices in an organization requires
the following:

● The general management community of interest should learn more about the skills and qualifications
for information security positions and IT positions that affect information security.
● Upper management should learn more about the budgetary needs of information security and its
positions. This knowledge will enable management to make sound fiscal decisions for information
security and the IT functions that carry out many information security initiatives.
● The IT and general management communities should grant appropriate levels of influence and
prestige to information security, especially to the role of CISO.

In most cases, organizations look for a technically qualified information security generalist who has a
solid understanding of how an organization operates. In many fields, the more specialized professionals
are more marketable. In information security, however, overspecialization can be risky. It is important,
therefore, to balance technical skills with general knowledge about information security.

When hiring information security professionals, organizations frequently look for candidates who
understand the following:
● How an organization operates at all levels
● That information security is usually a management problem and is seldom an exclusively technical
problem

How to work with people and collaborate with end users, and the importance of strong communications
and writing skills
● The role of policy in guiding security efforts, and the role of education and training in making
employees and other authorized users part of the solution rather than part of the problem
● Most mainstream IT technologies at a general level, not necessarily as an expert
● The terminology of IT and information security
● The threats facing an organization and how they can become attacks

Page
Ms. |Olga
2 Llanera Course Facilitator Page | 2
CMSC 120 INFORMATION ASSURANCE AND SECURITY BSCS 4

● How to protect an organization’s assets from information security attacks

● How business solutions, including technology-based solutions, can be applied to solve specific
information security problems.

Information Security Positions

Positions in Information Security

Chief Information Security Officer (CISO) The CISO is typically the top information security officer
in the organization. As indicated earlier in the chapter, the CISO is usually not an executive-level
position, and frequently the person in this role reports to the chief information officer. Though CISOs
are business managers first and technologists second, they must be conversant in all areas of
information security, including the technical, planning, and policy areas. In many cases, the CISO is
the major definer or architect of the information security program. The CISO performs the following
functions:
● Manages the overall information security program for the organization
● Drafts or approves information security policies
● Works with the CIO on strategic plans, develops tactical plans, and works with security
managers on operational plans
● Develops information security budgets based on available funding
● Sets priorities for the purchase and implementation of information security projects and
technology
● Makes decisions or recommendations for the recruiting, hiring, and firing of security staff
● Acts as the spokesperson for the information security team

Chief Security Officer (CSO) In some organizations, the CISO’s position may be combined with
physical security responsibilities or may even report to a security manager who is responsible for both
logical (information) security and physical security. Such a position is generally referred to as a CSO.
The CSO must be capable and knowledgeable in both information security requirements and the
“guards, gates, and guns” approach to protecting the physical infrastructure, buildings, and grounds of
a place of business.

To qualify for this position, the candidate must demonstrate experience as a security manager and with
planning, policy, and budgets. As mentioned earlier, some organizations prefer to hire people with law
enforcement experience.

Security Manager Security managers are accountable for the day-to-day operation of the information
security program. They accomplish objectives identified by the CISO and resolve issues identified by
technicians. Management of technology requires a general understanding of that technology, but it does
not necessarily require proficiency in the technology’s configuration, operation, and fault resolution.

Page
Ms. |Olga
3 Llanera Course Facilitator Page | 3
CMSC 120 INFORMATION ASSURANCE AND SECURITY BSCS 4

Note that several positions have titles that contain the word manager or suggest management
responsibilities, but only people who are responsible for management functions, such as scheduling,
setting relative priorities, or administering budgetary control, should be considered true managers.

A candidate for this position often has CISSP certification. Traditionally, managers earn the CISSP or
CISM, and technical professionals earn the Global Information Assurance Certification (GIAC).

Security managers must have the ability to draft middle- and lower-level policies as well as standards
and guidelines. They must have experience in traditional business matters, such as budgeting, project
management, hiring, and firing. They must also be able to manage technicians, both in the assignment
of tasks and in the monitoring of activities. Experience with
business continuity planning is usually a plus.

The following is a typical example of a security manager’s job description. Note that there are several
types of security managers, as the position is much more specialized than that of CISO. Thus, when
applying for a job as a security manager, you should read the job description carefully to determine
exactly what the employer wants.

Security Technician Security technicians are technically qualified employees who are tasked to
configure firewalls, deploy IDPSs, implement security software, diagnose and troubleshoot problems,
and coordinate with systems and network administrators to ensure that an organization’s security
technology is properly implemented. A security technician is often
an entry-level position, but to be hired for this role, candidates must possess some technical skills. This
often poses a dilemma for applicants, as many find it difficult to get a job in a new field without
experience—they can only attain such experience by getting a job. As in the networking arena, security
technicians tend to specialize in one major security technology group (firewalls, IDPSs, servers,
routers, or software) and in one particular software or hardware package, such as Check Point firewalls,
Nokia firewalls, or Tripwire IDPSs. These areas are sufficiently complex to warrant a high level of
specialization, but to move up in the corporate hierarchy, security technicians must expand their
knowledge horizontally—that is, gain an understanding of general organizational issues related to
information security and its technical areas.

The technical qualifications and position requirements vary for a security technician. Organizations
prefer an expert, certified, proficient technician. Regardless of the area of needed expertise, the job
description covers some level of experience with a particular hardware and software package.
Sometimes, familiarity with a technology secures an applicant an interview; however, actual experience
in using the technology is usually required.

CREDENTIALS OF INFORMATION SECURITY

When filling information security positions, many organizations indicate the level of proficiency
required for the job by specifying that the candidate have recognizable certifications.
Some of the more popular are:
■ The (ISC)2 family of certifications, including the Certified Information Systems
Security Professional (CISSP), a number of CISSP specialization certifications, the
Systems Security Certified Practitioner (SSCP), the Associate of (ISC)2, and several
other specialized certifications
■ The ISACA family of certifications, including Certified Information Systems Auditor
(CISA)
■ Certified Information Security Manager (CISM)
■ The Global Information Assurance Certification (GIAC) family of certifications
■ Security
■ Certified Computer Examiner

EMPLOYMENT POLICIES AND PRACTICES

Page
Ms. |Olga
4 Llanera Course Facilitator Page | 4
CMSC 120 INFORMATION ASSURANCE AND SECURITY BSCS 4

To create an environment in which information security is taken seriously, an organization should make
it a documented part of every employee’s job description. In other words, the general management
community of interest should integrate solid concepts for information security into the organization’s
employment policies and practices. This section examines important information security issues
associated with recruiting, hiring, firing, and managing human resources in an organization.

From an information security perspective, the hiring of employees is a responsibility laden with
potential security pitfalls. Therefore, the CISO and information security manager should work with the
Human Resources department to incorporate information security into the guidelines used for hiring
all personnel.

Job Descriptions
The process of integrating information security into the hiring process begins with reviewing and
updating all job descriptions. To prevent people from applying for positions based solely to prospective
employees when it advertises open positions.

Interviews
Some interviews with job candidates are conducted with members of the Human Resources (HR) staff,
and others include members of the department for which the position is being offered. An opening
within the Information Security department creates a unique opportunity for the security manager to
educate HR on the various certifications and specific experience each certification requires, as well as
the qualifications of a good candidate. In all other areas of the organization, Information Security
should advise HR to limit information provided to the candidate about responsibilities and access rights
of the new hire. For organizations that include onsite visits as part of their initial or follow up
interviews, it is important to exercise caution when showing a candidate around the facility. Avoid
tours through secure and restricted sites. Candidates who receive tours may be able to retain enough
information about operations or information security functions to become a threat.

Background Checks
A background check should be conducted before an organization extends an offer to a job candidate.
A background check is an investigation into the candidate’s past that looks for criminal behavior or
other types of behavior that could indicate potential for future misconduct. Several government
regulations specify what the organization can investigate and how much of the information uncovered
can be allowed to influence the hiring decision. The security manager and HR manager should discuss
these matters with legal counsel to determine what state, federal, and perhaps international regulations
affect the hiring process.

Background checks differ in the level of detail and depth with which they examine a candidate.
In the military, background checks determine the candidate’s level of security classification, a
requirement for many positions. In the business world, a background check can determine the level of
trust the business places in the candidate. People being considered for security positions should expect
to be subjected to a moderately high-level background check. Those considering careers in law
enforcement or high-security positions may even be required to submit to polygraph tests. The
following list summarizes various types of background checks and the information checked for each:
● Identity checks: Validation of identity and Social Security number
● Education and credential checks: Validation of institutions attended, degrees and
certifications earned, and certification status
● Previous employment verification: Validation of where candidates worked, why they left,
what they did, and for how long
● Reference checks: Validation of references and integrity of reference sources
● Worker’s compensation history: Investigation of claims from worker’s compensation
● Motor vehicle records: Investigation of driving records, suspensions, and DUIs
● Drug history: Screening for drugs and drug usage, past and present
● Credit history: Investigation of credit problems, financial problems, and bankruptcy
● Civil court history: Investigation of the candidate’s involvement as a plaintiff or defendant
in civil suits

Page
Ms. |Olga
5 Llanera Course Facilitator Page | 5
CMSC 120 INFORMATION ASSURANCE AND SECURITY BSCS 4

● Criminal court history: Investigation of criminal background, arrests, convictions, and time
served

Employment Contracts
Once a candidate has accepted a job offer, the employment contract becomes an important security
instrument. Many of the policies discussed in previous lesson —specifically, the fair and responsible
use policies—require an employee to agree in writing to monitoring and nondisclosure agreements. If
existing employees refuse to sign these agreements, security personnel are placed in a difficult
situation. They may not be able to force employees to sign or to deny employees access to the systems
necessary to perform their duties. With new employees, however, security personnel are in a different
situation because the procedural step of policy acknowledgment can be made a requirement of
employment. Policies that govern employee behavior and are applied to all employees may be
classified as “employment contingent upon agreement.” This classification
means the potential employee must agree in a written affidavit to conform with binding organizational
policies before being hired. Some organizations choose to execute the remainder of the employment
contract after the candidate has signed the security agreements. Although this may seem harsh, it is a
necessary component of the security process. Employment contracts may also contain restrictive
clauses regarding the creation and ownership of intellectual property while the candidate is employed
by the organization. These provisions may require the employee to actively protect the organization’s
information assets—especially assets that are critical to security.

New Hire Orientation

When new employees are introduced into the organization’s culture and workflow, they should receive
an extensive information security briefing as part of their employee orientation. All major policies
should be explained, along with procedures for performing necessary security operations and the new
position’s other information security requirements. In addition, the levels of authorized access should
be outlined for new employees, and training should be provided regarding the secure use of information
systems. By the time new employees are ready to report to their positions, they should be thoroughly
briefed on the security components of their particular jobs and on the rights and responsibilities of all
personnel in the organization.

On-the-Job Security Training

The organization should integrate the security awareness education into a new hire’s job orientation
and make it a part of every employee’s on-the-job security training. Keeping security at the forefront
of employees’ minds helps minimize their mistakes and is therefore an important part of the
information security team’s mission. Formal external and informal internal seminars should also be
used to increase the security awareness of employees, especially that of security employees.

Evaluating Performance
To heighten information security awareness and minimize risky workplace behavior, organizations
should incorporate information security into employee performance evaluations. For example, if
employees have been observed keeping system passwords on notes stuck to their monitors, they should
be warned. If such behavior continues, they should be reminded of their failure to comply with the
organization’s information security regulations during their annual performance review. In general,
employees pay close attention to job performance evaluations and are more likely to take information
security seriously if violations are documented in them.

Termination

exit interview A meeting with an employee who is leaving the organization to remind the employee of
contractual obligations, such as nondisclosure agreements, and to obtain feedback about the employee’s
tenure.

Leaving the organization may or may not be a decision made by the employee. Organizations may
downsize, be bought out or taken over, shut down, run out of business, or be forced to lay off, fire, or
relocate their work force. In any event, when an employee leaves an organization, several security
issues arise. Key among these is the continuity of protection of all information to which the employee

Page
Ms. |Olga
6 Llanera Course Facilitator Page | 6
CMSC 120 INFORMATION ASSURANCE AND SECURITY BSCS 4

had access. Therefore, when an employee prepares to leave an organization, the following tasks must
be performed:
● Access to the organization’s systems must be disabled.
● Removable media must be returned.
● Hard drives must be secured.
● File cabinet locks must be changed.
● Office door locks must be changed.
● Keycard access must be revoked.
● Personal effects must be removed from the organization’s premises.

After the employee has delivered keys, keycards, and other business property, he or she should be
escorted from the premises.
In addition to the tasks just listed, many organizations use an exit interview to remind the employee of
contractual obligations, such as nondisclosure agreements, and to obtain feedback about the employee’s
tenure in the organization. At this time, the employee should be reminded that failure to comply with
contractual obligations could lead to civil or criminal action.

In reality, most employees are allowed to clean out their own offices and collect their personal
belongings, and are simply asked to return their keys. From a security standpoint, these procedures are
risky and lax because they expose the organization’s information to disclosure and theft. To minimize
such risks, an organization should have security-minded termination procedures that are followed
consistently. In other words, the procedures should be followed regardless of the level of trust the
organization had for the employee. However, a universally consistent approach is difficult and
sometimes awkward to implement, which is why it’s not often applied. Given the realities of
workplaces, the simplest and best method for handling a departing employee may be to select one of
the following scenarios, based on the employee’s reasons for leaving.

Hostile Departures Hostile departures include termination for cause, permanent downsizing,
temporary layoffs, and quitting in some instances. While the employee may not seem overly hostile,
the unexpected termination of employment can prompt the person to lash out against the organization.
Before the employee knows he is leaving, or as soon as the hostile resignation is tendered, the security
staff should terminate all logical and keycard access. In the case of involuntary terminations, the
employee should be escorted into the supervisor’s office for the bad news.

Upon receiving the termination notice or tendering a hostile resignation, the employee should be
escorted to his office or cubicle and allowed to collect personal effects. No organizational property can
be taken from the premises, including pens, papers, and books, as well as portable digital media like
CDs, DVDs, and memory devices. Regardless of the claim the employee makes on organizational
property, he should not be allowed to take it from the premises. If the employee has property he strongly
wants to retain, he should be informed that he can submit a written list of the items and the reasons he
should be allowed to retain them. After the employee’s personal property has been gathered, he should
be asked to surrender
all company property, such as keys, keycards, other organizational identification, physical access
devices, PDAs, pagers, cell phones, and portable computers. The employee should then be escorted out
of the building.

Friendly Departures Friendly departures include resignation, retirement, promotion, or relocation. In

such cases, the employee may have tendered notice well in advance of the actual departure date. This
scenario actually makes it more difficult for the security team to maintain positive control over the
employee’s access and information usage. Employee accounts are usually allowed to continue to exist,
though an expiration date can be set for the employee’s declared date of departure. Another
complication associated with friendly departures is that the employees can come and go at will until
their departure date, which means they will probably collect their own belongings and leave under their
own recognizance.
As with hostile departures, employees should be asked to drop off all organizational property on their
way out for the final time. For either type of departure, hostile or friendly, the offices and information
used by the employee must be inventoried, files must be stored or destroyed, and all property must be

Page
Ms. |Olga
7 Llanera Course Facilitator Page | 7
CMSC 120 INFORMATION ASSURANCE AND SECURITY BSCS 4

returned to organizational stores. In either scenario, employees might foresee their departure well in
advance and start taking home organizational information such as files, reports, and
data from databases, perhaps thinking such items could be valuable in their future employment. This
may be impossible to prevent. Only by scrutinizing systems logs after the employee has departed and
sorting out authorized actions from systems misuse or information theft can the organization determine
if a breach of policy or loss of information has occurred. If information is illegally copied or stolen, the
action should be declared an incident and the appropriate policy followed.

SECURITY CONSIDERATIONS FOR TEMPORARY EMPLOYEES, CONSULTANTS, AND

OTHER WORKERS

Temporary employees, contract employees, and other types of workers are not subject to rigorous
screening, contractual obligations, and eventual secured termination, but they often have access to
sensitive organizational information. As outlined in the sections that follow, relationships with workers
in these categories should be carefully managed to prevent a possible
information leak or theft.

Temporary Employees
Some employees are hired by the organization to serve in a temporary position or to supplement the
existing workforce. These employees do not work for the organization where they perform their duties,
but instead are usually paid employees of a temp agency or organization that provides qualified workers
at the paid request of another company. Temps typically provide secretarial or administrative support,
and thus may be exposed to a wide range of information.
Because they are not employed by the host organization, they are often not subject to the contractual
obligations or general policies that govern other employees. If temps violate a policy or cause a
problem, the strongest action the host organization can take is to terminate the relationships and request
that the temps be censured. The employing agency is under no contractual obligation to comply,
although it may censure the employee to appease an important client.

From a security standpoint, temporary employees’ access to information should be limited to that
necessary for them to perform their duties. The organization can attempt to have temporary employees
sign nondisclosure agreements and fair use policies, but the temp agency may refuse, forcing the host
organization to choose among finding a new temp agency, going
without the assistance of the temp worker, or allowing the temp to work without the agreement. This
can create a potentially awkward and dangerous situation, as temporary workers may inadvertently
gain access to information that does not directly relate to their responsibilities.
The only way to combat this threat is to ensure that the supervisor restricts the information to which
the temp has access and makes sure all employees follow good security practices, especially clean desk
policies and the security of classified data. Temps can provide great benefits to the host organization,
but they should not be employed at the cost of sacrificing information security.

Contract Employees
Contract employees are typically hired to perform specific services for the organization. In such cases,
the host company often makes a contract with a parent organization rather than with an individual
employee for a particular task. Typical contract employees include groundskeepers, maintenance
workers, electrical contractors, mechanical service contractors, and other service and repair workers.
Although some contract workers may require access to virtually all areas of the organization to do their
jobs, they seldom need access to information or information resources, except when the organization
has leased computing equipment or contracted with a disaster recovery service. Contract employees
may also need access to various facilities, but this does not mean they should be allowed to wander
freely in and out of buildings. For the organization to maintain a secure facility, all contract employees
should be escorted from room to room, as well as into and out of the facility. When contract employees
report for maintenance or repair services, security personnel should first verify that these services are
actually scheduled or approved. As indicated in earlier chapters, attackers have been known to dress
up as telephone repairmen, maintenance technicians, or janitors to gain physical access to a building.
Therefore, direct supervision of contract employees is a necessity.

Page
Ms. |Olga
8 Llanera Course Facilitator Page | 8
CMSC 120 INFORMATION ASSURANCE AND SECURITY BSCS 4

Another necessary aspect of hiring contract employees is making certain that restrictions or
requirements are negotiated into the contract agreements when they are activated. The following
regulations should be negotiated well in advance: The facility requires 24 to 48 hours’ notice of a
maintenance visit; the facility requires all onsite personnel to undergo background checks; and the
facility requires advance notice for cancellation or rescheduling of a maintenance visit.

Consultants

Sometimes, onsite contracted workers are self-employed or are employees of an organization hired for
a specific, one-time purpose. These workers are typically referred to as consultants, and they have their
own security requirements and contractual obligations. Contracts for consultants should specify all
requirements for information or facility access before the consultants are allowed into the workplace.
Security and technology consultants especially must be prescreened, escorted through work areas, and
subjected to nondisclosure agreements to protect the organization from possible breaches of
confidentiality.
It is human nature (and a trait often found among consultants) to brag about the complexity of a
particular job or an outstanding service provided to another client.
If the organization does not want the consultant to mention their working relationship or to disclose
any details about a particular system configuration, the organization must write these restrictions into
the contract. Consultants typically request permission to present work samples to other companies as
part of their résumés, but a client organization is not obligated to grant this permission and can even
explicitly deny permission in writing. Organizations should also remember that just because they are
paying an information security consultant, the protection of their information doesn’t become the
consultant’s top priority.

Business Partners

On occasion, businesses create strategic alliances with other organizations that want to exchange
information, integrate systems, or simply discuss operations for mutual advantage. In these situations,
a prior business agreement is needed to specify the level of exposure both organizations are willing to
tolerate. Sometimes, one division of a company enters a strategic partnership with an organization that
directly competes with another of the company’s own divisions. If the strategic partnership evolves
into an integration of both companies’ systems, competing groups might exchange information that
neither parent organization expected to share. As a result, both organizations must make a meticulous,
deliberate determination of what information is to be exchanged, in what format, and with whom.
Nondisclosure agreements must be in place. The security levels of both systems must be examined
before any physical integration takes place—once systems are connected, the vulnerability of one
system becomes the vulnerability of all.

INTERNAL CONTROL STRATEGIES

job rotation. The requirement that every employee be able to perform the work of another employee.
Also known as task rotation.
least privilege. The process of ensuring that no unnecessary access to data exists; employees are able
to perform only the minimum operations necessary on a set of data.
need to know. The requirement that an employee only has access to information necessary for
performing his or her own work.
separation of duties. The principle that the completion of a significant task involving sensitive
information requires at least two people.
two-person control. The requirement that two employees review and approve each other’s work
before the task is categorized as finished.

Page
Ms. |Olga
9 Llanera Course Facilitator Page | 9
CMSC 120 INFORMATION ASSURANCE AND SECURITY BSCS 4

Among internal control strategies, separation of duties is a cornerstone in the protection of information
assets and the prevention of financial loss. Separation of duties is used to reduce the chance that an
employee will violate information security and breach the confidentiality, integrity, or availability of
information. The control stipulates that the completion of a significant task involving sensitive
information requires at least two people. The idea behind this separation is that if only one person has
authorization to access a particular set of information, there may be nothing the organization can do to
prevent the person from copying the information and removing it from the premises. Separation of
duties is especially important, and thus commonly implemented, when financial information must be
protected. For example, consider that two people are required to issue a cashier’s check at a bank. The
first is authorized to prepare the check, acquire the numbered financial document, and ready the check
for signature. The process then requires a second person, usually a supervisor, to sign the check. Only
then can the check be issued. If one person had the authority to perform both functions, he could write
a number of checks, sign them, and steal large sums from the bank.

The same level of control should be applied to critical data. One programmer updates the system and
a supervisor or coworker accesses the file location in which the updates are stored. Or, one employee
can be authorized to run backups to the system and another can install and remove the physical media.
A similar concept is known as two-person control, in which two employees review and approve each
other’s work. This concept is distinct from separation of duties, in which the two people work in
sequence. In two-person control, each person completely finishes the necessary work and then submits
it to the other coworker. Each coworker then examines the work performed, double-checking to make
sure no errors or inconsistencies exist.

Another control used to prevent personnel from misusing information assets is job rotation (or task
rotation). If one employee cannot feasibly learn the entire job of another, the organization should at
least try to ensure that multiple employees on staff can perform each critical task. Such job or task
rotations can greatly increase the chance that an employee’s misuse of the system or abuse of
information will be detected by another. They also ensure that no one employee performs actions that
cannot be physically audited by another employee. In general, this method makes good business sense.
One threat to information is the organization’s inability to have multiple employees who can perform
the same task in case one is unable to perform his normal duties. If everyone knows at least part of
another worker’s job, the organization can survive the loss of any one employee.

This leads to a control measure that may seem surprising: mandatory vacations. Why should a company
require its employees to take vacations? A mandatory vacation of at least one week gives the
organization the ability to audit the work of an employee. People who are stealing from the organization
or otherwise misusing information or systems are generally reluctant to take vacations, for fear that
their actions will be detected. Therefore, all employees should be required to take a vacation so their
jobs can be audited. This is not meant to imply that employees are untrustworthy, but to show how
organizations must be creative with the control measures they apply, and even consider the security
situation as a potential attacker would. The mandatory vacation policy is effective because it makes
employees consider that they might be caught if they abuse the system. Information security
professionals who think this practice impugns the character of their coworkers should note that some
bonding authorities, auditing agencies, and oversight boards require mandatory vacations for all
employees. A related concept, garden leave, is used by some companies to restrict the flow of
proprietary information when an employee leaves to join a competitor. When this procedure is invoked,
an employee is paid salary and benefits for a period of time, often 15 or 30 days; is not allowed access
to the former place of employment; and is not allowed to report to the new employer. The intent is to
have employees lose the immediate value of any current knowledge about tactical intelligence at the
former firm and ensure that the employee’s recollections of specific details fade. Technically, such
employees remain on the payroll of the former company, but they cannot go to work at their new
company yet. The term garden leave comes from the fact that the employee can do little more than stay
home and tend a garden for a while.

One final control measure is that employees should have access to the minimum amount of information
necessary for them to perform their duties, and only as long as needed. In other words, there is no need
for everyone in the organization to have access to all information. This principle is called least

Page
Ms. |Olga
10 Llanera Course Facilitator Page | 10
CMSC 120 INFORMATION ASSURANCE AND SECURITY BSCS 4

privilege. A similar concept is need to know, in which only employees who have a real business need
to access certain data are allowed to do so. The whole purpose of information security is to allow people
who need to use systems information to do so without being concerned about its confidentiality,
integrity, and availability. Organizations should keep in mind that everyone who can access data
probably will, with potentially devastating consequences for the organization’s information security.

PRIVACY AND THE SECURITY OF PERSONNEL DATA

Organizations are required by law to protect employee information that is sensitive or personal. This
information includes employee addresses, phone numbers, Social Security numbers, medical
conditions, and even names and addresses of family members.

In principle, personnel data is no different from other data that an organization’s information security
group must protect, but a great deal more regulation covers its protection. As a result, information
security groups should ensure that this data receives at least the same level of protection as other
important data in the organization, including intellectual property, strategic planning, and other
business-critical information.

Page
Ms. |Olga
11 Llanera Course Facilitator Page | 11