What to do during a staff termination or change of employment?

The final category of Human Resource Security is how our security handles both employee terminations and when an employees role is changed in some way. Thus HR Security should be a consideration at all stages of an employee’s time at the organization.

7.3.1. Termination or change of employment responsibilities.

An organization’s security should take into account staff turnover; Ensuring that when employees leave, either through termination or resignation, there is limited negative impact on the organization’s security posture. This requires additional planning to address security concerns and challenges.

We need to ensure that our IT departments are in sync with our HR departments so that the employee’s access to information systems is revoked at the correct time to protect our systems and data from the former employee. This coordination is also required to ensure company equipment in the possession of the employee is returned. The employee should also be made aware of any obligations he or she has to the organization after his employment ceases, such as NDA’s and non-compete clauses.

These steps should be carried out when-ever an employee leaves their role even if they are simply taking up a new role in the same company, as it limits the risk of data breaches and permission/privilege creep. One of the more neglected issues that impact companies is that when an employee moves teams, is promoted or has a similar role change; they are given the access required to carry out their new role, but the access they had for their previous role is retained. This can lead to long serving employees having access far in excess of what they need to carry out their tasks and presenting a risk. It is better to prevent this by removing access as it is no longer required.

How to reduce your risk throughout your staffs employment.

Our obligations to our staff and security continue throughout the time the employee works for the organization. From making sure the management are aware of their security focused responsibilities, making sure security-awareness programs happen in your organization and ensuring there is a fair, understood disciplinary process is in place to address security breaches.

7.2.1. Management responsibilities.

This control requires we make sure management enforces the information security requirements. Good security practices cannot be put in place and abided by without managerial support. For example, having great, comprehensive password protection policies is no good if a manager allows, or even encourages staff to share login credentials before they go on annual leave so they can cover for each other. Managers must be specifically instructed to apply information security standards as per the organizations policies and procedures, including providing training where required.

7.2.2. Information security awareness, education and training

It is often said that the biggest risk to security comes from staff and users of IT systems. The best defence we have against this weak link is training. Studies have shown that the more educated a user is, the less likely they are to be the cause of security incidents. This is due to increased knowledge but also increased awareness of the risks the staff member’s organization faces. From this it quickly becomes apparent that one of the best ways to protect your organization is to put into place an initiative for continuous security awareness training, and more general information security training, for all staff. This will ensure that staff understand their responsibilities, types of attacks that may target them and the different threat vectors. It can also instil certain best practices into staff, such as not holding the door open to unidentified people, not giving out information over the phone, to be more scrupulous when deciding if an email is a phishing attack and even to discourage staff from discussing sensitive matters with colleagues in public places. Part of this training should include familiarising staff with policies and other security documents.

7.2.3. Disciplinary process.

It is inevitable that, despite our best efforts, there may be times when it becomes necessary to discipline staff. Having a defined disciplinary process that is enforced ensures both uniformity and fairness. This is an essential practice for modern organizations. This flows into ensuring security policies and procedures are followed and disciplining staff for deviations. If there is a verifiable security breach and the cause is found to be a staff member not following best practices security breach the disciplinary process should begin and it should allow for different degrees of result depending on the severity of wrongdoing by the staff. On top of this, employees should be made aware of this process.

Different countries have different laws and requirements around staff discipline and this process should be handled by qualified HR staff.

What to do before you hire a new staff member.

Pre employment tasks in the Human resource security clause can have its importance overlooked if we are not careful. Much is said of the Insider Threat and when we are hiring a new employee we are accepting that risk into our companies. We should do everything we can to ensure the employees we hire and to provide them with clear terms of employment to make sure expectations are known and understood.

7.1.1. Screening

Screening of candidates should be carried out prior to them being offered a role at your organization. This has a range of benefits if done in an appropriate manner. These benefits can include confirming an employee’s qualifications, work history and finding issues with the person that could compromise their integrity. All screening to be carried out should be executed to a level that is appropriate for the role the candidate is applying for,a prospective CEO should have a stringent check carried out, while an entry level junior may have more relaxed checks. To ensure the correct screening measures are taken all steps in the process should be defined in a procedure document and executed in a manner that meets local laws and regulations. Some concerns that the organization should address when deciding on screening procedures are; which specific employees/roles will be carrying out the screening, what exactly is screened for and who verifies that the screening process was carried out correctly.

Some examples of what we can screen for are;

  • Valid references given when candidate applied for the position,
  • Garda vetting where required,
  • Gaps in CV,
  • Criminal conviction,
  • Background in drug, alcohol or gambling abuse,
  • Verification of the credentials the candidate claims.

Depending on the industry and role the candidate is applying for the depth of the screening can vary but screening should be carried out for employees, contractors, and outsourcing companies.

7.1.2. Terms and conditions of employment.

It is important that information security responsibilities for both employees and contracts are included in their contracts. This can ease confusion as all employees and contractors understand what is expected of them and agree to these terms before joining your organization. These can include confidentiality and non-disclosure agreements for those staff handling sensitive data, they can inform employees of any monitoring that is carried out (within the boundaries of local laws), the use of the employee PII and even acknowledgements that the results and outputs an employee produces within the course of their employment is owned by the company (which would deal with patents, copyrights and other IP types). Lastly it should include general information security requirements and responsibilities.

Getting secure with mobile devices and remote workers!

Organizing your information security does not just cover devices that stay inside your office. We must take into account portable devices, BYOD’s and those staff that work from home. Most organizations have to plan for remote workers connecting to their systems, from travelling sales folk to people working from home we need to have policies in place to handle this securely. Likewise with smart wearables, laptops, mobile phones and a variety of other mobile devices brought into your organization every day we are confronted with a unique challenge keeping ourselves secure. Fortunately by applying these 2 controls in our organization we can better manage these risks.

 

6.2.1. Mobile devices policy.

In the modern organization, mobile devices are a given. Staff with laptops that move around, leave your organization’s premise; Uncontrolled iPads, Smartphones, smart wearables with incredibly accurate cameras and all with Wi-Fi, Bluetooth access and even GPS. The threat landscape is changing. All organizations, big and small, face risks due to these devices and this risk needs to be properly managed. The control recommends a Mobile Device Policy to address these concerns by imparting minimum standards and usage restrictions on these devices. The policy should include details on;

  • registration of mobile devices so the organization can track device and identify owners in case of misuse,
  • physical protection of mobile devices,
  • restrictions on software installation,
  • mobile device software versions and for applying patches,
  • restriction of connection to information services,
  • access controls,
  • cryptographic techniques to encrypt the drive and for connecting the office from outside the organization,
  • malware protection such as requiring a specific Anti-Virus version with up to date signatures,
  • remote disabling, erasure, or lockout in case the device is lost so that any sensitive information stored on that device can be destroyed,
  • backups,
  • use of web services and apps.

With mobile devices, there are times when it is the employee’s private property and placing restriction on what the employee sees as their own, can be a challenge but is necessary for the protection of the organization. Having a policy in place that an employee needs to read through and agree to can help staff understand where the boundaries of acceptable use are and the requirements to use a device at all. This easy to understand document can help improve acceptance of the organizations mobile device security.

Even just making an employee aware through security awareness training can reduce the risk of mobile devices such as by making the employee conscious of his or her surroundings when they open sensitive emails and can encourage an employee to question what wireless networks they use for business purposes.

The strictness of these restrictions should be tailored to your organization’s risk appetite. There are many Mobile Device Management platforms companies can make use of to better manage these assets.

 

6.2.2. Teleworking.

When an organization allows its employees to work remotely it introduces risks that must be acknowledged and mitigated against. There are many things an organization should consider such as whether to provide an employee with equipment to work from home with, or to allow them to use their own personal devices. In general, the organization will provide company laptops to staff working from outside of the organization, who connect to the corporate network with a VPN. Organizations that allow employees to use their personal equipment should take additional steps to ensure threats are not introduced to your network, for example requiring software to be installed that monitors applications installed on the device, granting the corporate IT team with additional powers over the personal device and ensuring the security level of that device (such as requiring a patched OS, up-to-date antivirus etc).

Other controls can include controling the times employees can access the network to prevent abuse.

How a companies internal organization can impact your security

For the second entry to our ISO 27001:2013 series we discuss the Internal Organization category in the Organization of information security clause. The category is discussing how your organizations security should be organized, who should do what and who is responsible for what. In many enterprise organizations this can be defined as a RACI chart but this is something all organisations can benefit from. People need to know who’s responsibility it is to do what tasks and who is accountable that they are completed correctly, without this there is always a risk that gaps will appear and task will not be done.

6.1.1. INFORMATION SECURITY ROLES AND RESPONSIBILITIES.

To ensure any tasks discussed in your security policies are fulfilled it is important that roles and responsibilities are designated. This gives accountability and responsibility to ensure duties are carried out. This ties into the previous sections where we discussed policies and the roles and responsibilities should be included in those policies. For example who is responsible for organizing the response to incidents? Who reviews systems to ensure they are compliant with GDPR? The list of roles and responsibilities can get very long but it is essential that every employee knows what is expected of them.

6.1.2. SEGREGATION OF DUTIES

Separation of duties is one of the most well-known and important IT security tenets. It is a key concept to the CISSP, CISA, Security+ and a variety of other certification and even regulations and laws such as Sarbanes-Oxley act in the United States of America. The control deals with the risks associated with one person having too much power. To give an example of a risk this control deals with; if an employee can both write and sign checks he can easily write out a check to himself and sign it. This is an example of where there is no control in place for the separation of duties. If we were to implement this control in this situation that employee would be able to write a check but would need another employee to sign it. Similar risks can occur frequently in an organization and can impact the organization in a variety of ways, and not just the financial example given. To give a security example many data centers have dual controls that prevent a single person gaining physical access to a server, with two people needing to be present before opening the cage, possibly having two separate locks to open.

Having controls in place to enforce a separation of duties and having this in policy documents can give us protection and mitigate these types of risks.

6.1.3. CONTACT WITH AUTHORITIES.

A breach will, eventually, happen to your organisation, as risk can never be completely eliminated. The organization needs to be prepared for such an event and part of this is having procedures in place with contact information that instructs the staff member in how to contact the relevant authorities. These procedures should contain contact information for who to contact for the relevant breaches, such as contact information for the Data Protection Commissioner for Personally Identifiable Information being stolen, and it should be clearly stated when to contact those authorities. This document should be readily available and staff should be made aware of it.

6.1.4. CONTACT WITH SPECIAL INTEREST GROUPS.

As security is always changing it is important that your specialist staff keep in touch with updates and developments. This can be achieved in many ways such as requiring staff with certifications should maintain their membership with the accrediting bodies, keep up with the required CEU/fees for their certifications, and to keep in contact with the local infosec community. Encouraging staff to attend industry events like OWASP talks, conventions such as DEFCON and other events to keep strong networks can give your organization a deeper well of security knowledge to draw from. Likewise, encouraging staff to keep up to date using news sites, blogs and other resources is also good practice for this end in a time effective and budget friendly way.

This not only gives your staff an up-to-date insight into new and developing threats but also allows them to draw on the community, gain mentors, exchange information and grow in their understanding of best practices to better prepare you for defending your organization and responding to threats.

6.1.5. INFORMATION SECURITY IN PROJECT MANAGEMENT.

Whenever we are planning a new project, whether its infrastructure, application, or other, we should always include security into our earliest stages of planning, design, and management. Too often security is seen as some after thought, tacked on at the end; If its considered at all! By having a project managers look at security from the very beginning of the project security risks and issues can be identified at the earliest stage of the project, when it is cheapest and easiest to deal with.

While we will look for security problems in the project itself, we should also look at new attack vectors that the project being implemented could introduce and the potential risks that could be generated from the result. As described in 6.1.1 defined roles and responsibilities for information security should be established to ensure all staff know their role for a secure project throughout its lifespan.

The need for managerial direction for information security.

The first part of our series discusses the category Management direction for information security in the Information security policies clause . There are 2 controls in this category and they deal with having written, accessible and reviewed information security policies.

5.1.1. POLICIES FOR INFORMATION SECURITY.

Organizations should have written documents, detailing their security policies, standards, guidelines and procedures, and these should be readily accessible to staff and other relevant parties. There are two “levels” of documents you should keep. The first level is the Information security policy which gives a high-level view of our security objectives. It displays the reasoning for our security policies and how they tie into your organization’s goals. It describes the security we have and shows that senior management supports the organizations security initiatives, which can be very important for gaining employee support and compliance. These policy provides direction for an organization with regards to security, and it may reference regulations, legislation and other lower level organization policies. It should also provide guidance on how deviations to policy requirements are handled by management.

The second “level” includes lower level policies that are simple, easy to understand and highly specific. They may describe Acceptable Use of IT systems and resources, how identity and access is managed and how the organization treats personally identifiable information(PII). There can be many policies but they need to be specific in their focus and simple to understand of all employees. Your organization can have dozens of policies if needed, but there are some specifically recommended by ISO in these controls.

These recommends policies are:

  • Access control,
  • Information classification,
  • Physical and environmental security,
  • Acceptable use of resources,
  • Clear desk and clear screen,
  • Information transfer,
  • Mobile devices and teleworking,
  • Restrictions on software installation and use,
  • Backup,
  • Protection from malware,
  • Management of technical vulnerabilities,
  • Cryptographic controls,
  • Communications security,
  • Privacy and protection of personally identifiable information,
  • Supplier relationships.

5.1.2. REVIEW OF POLICIES FOR INFORMATION SECURITY.

Like all parts of security, policies should not be static, they should follow a life cycle of continuous improvement. The organization and the environment in which the organization operates is fluid and subject to change. To reflect this there should be a process in place for regular reviews of the policies. Again, this is not because there may be errors in your latest draft, but because security as a landscape is constantly shifting. With new laws, such as the General Data Protection Regulation and Network and Information Systems Directive in the European Union, being introduced and past laws like the EU-US Safe harbour agreement being invalidated, our policies should be reviewed on at least an annual basis to make sure they are still fit for purpose. This will not only keep your organization safe from a regulatory perspective but for changes to the security landscape too, such as incorporating the introduction of new technologies such as IoT and wearables devices into our security plans, allowing our policies to evolve over time to best protect the organization and to ensure best practices can be adhered to and updated.