Organizing Personnel
Security
Security Planning
Susan Lincke
Security Planning: An Applied Approach | 6/21/2016 | 2
Objectives
The students should be able to:
Define and describe security awareness, security training, security education.
Apply segregation of duties to information technology with regard to a business.
Plan allocation of security responsibility, documentation and training.
Describe good practices for hiring and terminating an employee.
Security Planning: An Applied Approach | 6/21/2016 | 3
Security Issues with Personnel
Personnel are the weak link: Social Engineering: phishing, pharming, etc.
Issues to look at include:
Background checks
Hiring
Return equipment
Disable accounts
Termination
Personnel
Skills mgmt.
Signed documents
Job
Descr.
Policies/procedures
Config Mgmt.
Docu-
ments
Job descriptions
Need-to-know
-Fraud
Contracts
Segregation of Duties
Security awareness & training
Training
Job skill training
Fraud reporting
Security Planning: An Applied Approach | 6/21/2016 | 4
Segregation of Duties
Documentation:
Configuration management
Change control
Training
PERSONNEL-FRAUD ISSUES
Security Planning: An Applied Approach | 6/21/2016 | 5
Workbook: Personnel Security
Personnel Threats
Threat
Divulging private
info
Skim payment
cards
Grant abuse
Abuse of student
Role
Employee
Salesperson
Employee
with grant
Employee,
student,
visitor
Liability or Cost if threat occurs
FERPA violation = loss of
federal funds
PCI DSS, state breach violation
Loss of funds from US granting
agencies
Bad press – loss in reputation
May incite lawsuit
Security Planning: An Applied Approach | 6/21/2016 | 6
Fraud Control Types
After Fraud
Corrective
Controls:
Punishment->
Amend controls
Fidelity Insurance
Employee Bonding
Time of
Fraud
Detective Controls:
Finding fraud when it
occurs includes:
Anonymous hotline*->
Surprise audits*->
Monitoring activities->
Logged transactions
Employee badges
Complaint or fraud
investigation
Mandatory vacations
Job rotation
Before Fraud:
***BEST***
Preventive Controls**:
Preventing fraud includes:
Segregation of Duties
Security roles
Ethical culture
Internal controls:
Physical & data security
Need-to-know
Signed documents
Fraud, security awareness training
Employee Support Programs
Background checks
Security Planning: An Applied Approach | 6/21/2016 | 7
Security Roles
Chief Information Security Officer
Data Owner, Process Owner: Allocates permissions, defines safe
processes.
Info Security Steering Committee: Management with knowledge
of business and/or security functions defines security
Incident Response Management/Team: Decides or performs
functions related to incident response.
Security Analyst, Security Administrator: Security staff to design
or implement security functions.
Security Planning: An Applied Approach | 6/21/2016 | 8
Segregation of Duties
Authorization
Distribution
Approves
Acts on
Origination
Double-checks
Verification
Security Planning: An Applied Approach | 6/21/2016 | 9
Organizational
Segregation of Duties
Audit
Ensures procedures are professionally done
Security/
Compliance
Quality
Control
advises &
monitors for
security
tests or ensures
quality of S/W or
production
Business
serves
System/
Network
Admin
advises
Development
delivers
S/W to
Security Planning: An Applied Approach | 6/21/2016 | 10
IT Segregation of Duties
Requirements/Design
Systems Analyst
Database Administrator
User
End User
Data Entry
Test Environment
Quality Assurance
Security
Control Group
Security Admin
Development
Environment:
Application programmer
Systems programmer
Production Environment
Computer Operator
System Administrator
Network Administrator
Help Desk
Security Planning: An Applied Approach | 6/21/2016 | 11
Segregation of Duties Controls
Transaction Authorization
Asset inventory & custody
Data owner’s responsibility is specific and documented
• Allocates authorization according to least-privilege and
segregation of duties
Security Administrator implements physical, system &
application security
• Authorization forms
• User authorization tables: who can view/update/delete data at
transaction or field level
Security Planning: An Applied Approach | 6/21/2016 | 12
Tools to Control Documents:
Configuration Management
Central repository = electronic library document management system.
Retains Important documents
• Software development teams: requirements, design , test documents, and
program code
• Project, audit and security plans.
Maintains history: holds a snapshot of different versions for each document,
• Any version can be retrieved at any time.
Permits users to:
• checkout a document;
• edit, review or approve the document; and
• check it in with increased version #.
The reason for revision and author is recorded and later available as version
history.
Security Planning: An Applied Approach | 6/21/2016 | 13
Tools to Control Documents:
Change Management
Change management helps to create different configuration management
versions.
Maintains state of a change proposal:
1. Starts with a Change Request may be
2. analyzed and approved by management for implementation. The change
is then
3. implemented (e.g., programmed or acted upon) and then
4. tested and approved, when the change is ready for deployment.
Documentation for each of these stages is maintained in a change
management or configuration management repository,
Emails may notify stakeholders of changes of status.
Security Planning: An Applied Approach | 6/21/2016 | 14
Security Awareness & Training
Training covers what is expected
of employees
Why is policy in place?
How is policy enforced?
Training may be implemented as:
New employee orientation
Company newsletters
Determine effectiveness by
interviewing employees
Security Planning: An Applied Approach | 6/21/2016 | 15
Awareness Function:
Types of Security Training
Awareness:
Create securityconscious workforce
Employees, partners
& vendors
Newsletters, surveys,
quizzes, video
training, forums,
posters
Training:
Necessary skills for a
particular position
HR, legal, middle or
top mgmt, IT,
programmers
Workshops,
conferences
Education:
High level skills
High-skilled
professions: audit,
security admin/mgmt,
Risk mgmt…
Organized and
gradual development:
teaching & coaching
Security Planning: An Applied Approach | 6/21/2016 | 16
Awareness Training
Signed employment agreements, video, memos, emails, posters,
seminars and training classes
A combination of parallel approaches
Knowledge areas:
•
•
•
•
•
•
•
Back-up work-related files
Choosing passwords and avoiding exposure
Avoiding email and web viruses
Recognizing social engineers
Recognizing & reporting security incidents
Securing electronic & paper media against theft & exposure
Spotting malware that could lead to identity theft & desktop spying
Metrics should be established to determine effectiveness of
change in behavior and workforce attitude
Security Planning: An Applied Approach | 6/21/2016 | 17
Security Certificates & Continuing Education
Security
Certification(s)
Minimum 1-year
Requirement
Minimum 3year
Requirement
20
120
10
60
Security+
-
50
Other CompTIA
certificates
-
20-75
CISSP, CISA, CISM,
CRISC, CEH
SSCP, CAP, HCISPP
Security Planning: An Applied Approach | 6/21/2016 | 18
Other Personnel Preventive Controls
Training and written policies and procedures
Ethical Culture: Mgmt must live, mentor, insist on ethical
behavior.
Employee Support Programs: Addresses personal/financial
problems before they are unmanageable.
Background checks: For handlers of PII.
Need to Know/Least Privilege
Security Planning: An Applied Approach | 6/21/2016 | 19
Detective & Corrective Controls
Detective/Deterrence Controls Corrective Controls
Fraud reporting or hotline
Employee Bonding: Insurance
protects against losses due to
Logged transactions
theft, mistakes and neglect.
Internal Audit Dept and Surprise
Fidelity Insurance: Insurance
Audits
against fraud or employee
Mandatory vacations or job
misdeeds is useful for rare but
rotation.
expensive risks
Security Planning: An Applied Approach | 6/21/2016 | 20
Workbook: Personnel Security
Threat
Personnel Controls
Role
Control
Divulging Employe FERPA training:
private info e
annual quiz review,
new
employee
training
Grant abuse Employe Financial controls:
e
with employee
and
grant
administrator
and
Security Planning: An Applied Approach | 6/21/2016 | 21
Workbook: Personnel Security
Responsibility of Security to Roles
Role
Responsibility
Registr Establish FERPA training
ar
Data Owner: student scholastic and
financial information
Oversee
FERPA
adherence
in
Registration dept.
Admin. Attend FERPA training
Retain locked cabinets with student info
Securit Monitor
logs,
enable/disable
Security Planning: An Applied Approach | 6/21/2016 | 22
Workbook: Personnel Security
Requirements: Training, Documentation
Role
Registrar
Requirements: Training,
Documentation
FERPA experience in hiring.
Training every 3-5 years at national
conference or workshop
Employee University FERPA documentation,
handling FERPA web page, annual quizzes,
student
sign acceptable use policy
data
Security Planning: An Applied Approach | 6/21/2016 | 23
Hiring
Contracts
Termination
PERSONNEL ISSUES
Security Planning: An Applied Approach | 6/21/2016 | 24
Personnel Issues
Background checks can reduce fraud
• More secure position=more checking required
• A standard or procedure is useful
Training & signed contracts
Track and document theft
• Minor incidents could add up to a major pattern problem
Email can be monitored for potential problem
employees
• Assuming policy is in place and employees are aware
Security Planning: An Applied Approach | 6/21/2016 | 25
Employee Hiring
Document security responsibilities
Screen candidates for sensitive positions
Have signed agreements regarding
• Job responsibilities, conditions of employment
• Security responsibilities (incl. copyright)
• Confidentiality agreement
• Indicate corrective actions taken if security requirements
not followed
Security Planning: An Applied Approach | 6/21/2016 | 26
New Employee Orientation
New employee signs Privacy Policy document:
Has read and agreed to follow security policies
Conform to laws and regulations
Promise to not divulge logon IDs and passwords
Create quality passwords
Lock terminal when not present
Report suspected violations of security
Maintain good physical security (locked doors, private keys)
Use IT resources only for authorized business purposes
Security Planning: An Applied Approach | 6/21/2016 | 27
Signed Agreements
Code of Conduct: Describes general ethical behavior
requirements
Acceptable Use Policy: Addresses which and how company data
is accessed
Privacy Policy: Defines behavior re confidential info:
• password policies, physical security, locked terminals, and
reporting security issues.
Service Level Agreement: Contract between a customer and
provider.
Security Planning: An Applied Approach | 6/21/2016 | 28
Third Party Agreements
Define information security policy
Define procedures to implement policy
Deploy controls to protect against malicious software
Publish restrictions on copying/distributing information
Implement procedures to determine whether assets were
compromised
Ensure return or destruction of data at end of job
Security Planning: An Applied Approach | 6/21/2016 | 29
Service Level Agreement (SLA)
A Service Level Agreement (SLA) is a contract to outsource IT or other
sensitive service
• Can including networking, business continuity, security or information
security
An SLA ensures levels of quality for performance, security, legal compliance,
by defining:
Introduction and Scope of Work
Security
Performance, Tracking and Reporting
Termination of Contract
Problem Management
Schedules and General
Compensation
Signatures
Customer Duties and Responsibilities
Warranties and Remedies
Intellectual Property Rights and Confidential Information
Legal Compliance and Resolution of Disputes
Security Planning: An Applied Approach | 6/21/2016 | 30
Employee Termination
Employees about to leave or who have left the organization
cause 70% of internal information theft
Unless continued relationship expected:
Disable all corporate accounts and access permissions
Return equipment
Revoke access
Return all access keys, ID cards and budgets
Notify all staff and security personnel
Arrange final pay
Perform termination interview
Security Planning: An Applied Approach | 6/21/2016 | 31
Responsibility of Security to Roles
Role
Chief Info
Security
Officer:
John Doe
Responsibility
Lead Info Sec. Steering Committee and incident response teams.
Lead efforts to develop security policy, security workbook.
Manage security projects, budgets, staff.
Lead security training for required staff on FERPA, PCI DSS, HIPAA.
Maintain security program: metrics, risk, testing, and policy revisions.
Personnel: Participate in Information Security Steering Committee.
Alice
Tracks and documents theft (to determine pattern).
Strong
Prepare/manage contracts with Third Party contracts, establishing expectations
relative to security.
At hiring: Perform background check for persons handling confidential info,
major assets or interfacing with students. Write job descriptions considering
segregation of duties, security responsibilities.
Any Employee:
Signs Acceptable Use Policy;
Takes security awareness training including compliance, policy training.
At termination: Revoke computer authorization, return badges/keys and
equipment, notify appropriate staff.
Security Planning: An Applied Approach | 6/21/2016 | 32
Question
Which of the following duties can be performed by one
person in a well-controlled IS environment?
1.
Software Developer and System Administration
2.
Database administration and Data Entry
3.
System Administrator and Quality Assurance
4.
Quality Assurance and Software Developer
Security Planning: An Applied Approach | 6/21/2016 | 33
Question
Which is MOST important for a successful security
awareness program?
1. Technical training for security administrators
2. Aligning the training to organization requirements
3. Training management for security awareness
4. Using metrics to ensure that training is effective
Security Planning: An Applied Approach | 6/21/2016 | 34
Question
To detect fraud, the BEST type of audit trail to log would be:
1. User session logs
2. Firewall incidents
3. Operating system incidents
4. Application transactions
Security Planning: An Applied Approach | 6/21/2016 | 35
Summary of Personnel Controls
Personnel Hiring
Daily Support & Controls
Security Documentation:
Policies & Procedures
Configuration Management
and Change Management
Vetting new employees
Segregation of Duties
Signed Documents
Hotline
Job Descriptions
Other fraud controls
Training
Controlled departures
Contracts and
Service Level Agreements
Security Planning: An Applied Approach | 6/21/2016 | 36
Jamie Ramon MD
Doctor
Chris Ramon RD
Dietician
Terry
Pat
Licensed
Software Consultant
Practicing Nurse
HEALTH FIRST CASE STUDY
Designing Physical Security
Security Planning: An Applied Approach | 6/21/2016 | 37
Workbook: Personnel Security
Step 1: Define Personnel Threats
Threat
Role
Liability or Cost if threat occurs
Malpractice
HIPAA violation
Medicare Fraud
Fraud against company
Security Planning: An Applied Approach | 6/21/2016 | 38
Workbook: Personnel Security
Step 2: Define Personnel Controls
Threat
Role
Control
Training?
Need to know?
Documentation?
Security Planning: An Applied Approach | 6/21/2016 | 39
Allocate Responsibility of Security to Roles
Look through other chapters.
What requirements do you have for:
Risk?
Physical security?
Business Continuity?
Metrics?
Information Security?
Governing?
Network Security?
Incident Response?
Someone has to do the tasks allocated in these chapters.
Who will be responsible for each?
How is this documented?
How will they be trained?
Security Planning: An Applied Approach | 6/21/2016 | 40
Step 3: Allocate Responsibility of Security
to Roles
Role
Nurse
Partner
Security
Admin
Responsibility
Security Planning: An Applied Approach | 6/21/2016 | 41
Step 4: Allocate Training, Documentation to
Roles
Role
Nurse
Partner
Requirements: Training,
Documentation