Employment Policies and Practices

Previous page
Table of content
Next page

Although people would like to think they can trust everyone in their organization to do what is right all of the time, it is just not that simple. Whether done intentionally or unintentionally, employees commonly cause security problems for the organization. However, there are good methods for helping to address some of those problems before they occur.

Separation of Duties

The separation of duties was briefly discussed earlier in this chapter as it pertains to the development process, but what about all the other workers within an organization? The separation of duties extends to all personnel in an organization. Workers who only operate within a small piece of the entire process are exposed to only a small portion of the information within that process. The less information a worker has access to, the less they can share with other individuals.

One of the most prevalent examples comes from the business world where organizations like to get more for their money when hiring new employees. System administrators are responsible for the upkeep of the systems and applications on a network within an organization. Their primary goal is to keep the system running smoothly with as few interruptions to operations as possible. Many times, however, these same individuals are also responsible for the security on the network. Security on the network tends to slow things down so that confidentiality, integrity and availability of the systems can be maintained. There is an inherent conflict between the two jobs. Security teams should be totally separate from the operations group to ensure that reliable security decisions are made.

The Hiring Process

There are a plethora of activities that take place when a new employee is being brought into an organization. Some of these are directly related to the security of the organization and include:

  • Background checks on potential new hires

  • An employment agreement

Background Checks

Background checks are an easy way to verify the information a job applicant has provided to an organization. Resumes and applications can be crosschecked against public databases to ensure the applicant has been upfront and honest about their experience and personal history. Criminal history, previous work experience, and formal education are all areas that can easily be verified through a background check process. These checks become more important as the access to sensitive information within a position increases.

Background checks can also protect the company and prevent potential problems. Verifying degrees and certifications helps alleviate the threat of lawsuits and unsatisfied customers due to poorly educated personnel working on projects. Criminal background checks will raise warning flags if they show an applicant has a criminal history that was not brought forward at the beginning of the hiring process. Checking prior work experience can let management make informed decisions about the ability of the individual to perform the duties required by the position. Were they respected and hard working at their last organization? Have they ever been convicted or accused of embezzlement or financial fraud? Do they really have a Doctorate degree in astrophysics?

These checks can also reveal a tremendous amount of sensitive data about each person in the organization. And although background checks can provide a valuable tool for managers, the information gleaned from these checks should be held in the strictest confidence. Unauthorized access to this type of information could prove an embarrassment to the organization and the individual.

Employment Agreements

Once a manager has decided that an applicant has met the position requirements, it is normal for the employment process to begin. The key to this process is the employment agreement. Employment agreements set all the organizational expectations for the employee. There should be no doubt what the requirements for the employees are when they come on board. In relation to information security, there are three pieces of the agreement that need to be presented:

  • The non-compete and non-disclosure agreement (NDA)

  • The corporate information security policy

  • The data classification standard.

  • Account request and tracking

Each of these pieces provides vital information on the security of the organization to the new hire, and are covered below.

Non-compete and Non-disclosure Agreements

The non-compete and non-disclosure agreement (NDA) has become common practice among most organizations. Employees signing the agreement understand they will come in contact with sensitive company processes, strategies, and products that cannot be revealed to anyone outside of the organization. The NDA also states that the employee will not try to leave the organization and take over the current customer base. Since no two organizations do business the same way and no two organizations have exactly the same customers and projects, these two documents provide protection for the organization. Employees, present or former, who do not comply with the requirements in these documents, will find themselves subject to legal action from the organization.

Corporate Information Security Policy

The corporate information security policy is the foundation of all other security initiatives within an organization. It was developed to protect the organization, educate the workforce on security requirements, and set policy to be followed while working for the organization. Each new hire needs to understand the policies up front and know what punitive actions will be taken in the event of a misstep. Bringing this information to the employee at this point allows them to ask questions and allows the organization to address any concerns the new employee might have at that time.

Test Day Tip 

Security policies actually contain information on a wide array of topics. They could contain information on acceptable use by employees, incident response procedures in the event of a security incident, approved secure configurations on primary operational servers, backup and restore requirements, data classification label standards, and more. The idea here is that security policies are intended to be comprehensive guidance on security within the organization. When you think of a security policy during the test, try to remember it is not a single static document. Instead, it is a evolving document consisting of many different smaller and more precise components.

Within the security policy is the acceptable use policy (AUP). The AUP defines in great detail what actions are allowed and disallowed on the organizational network. Acceptable Internet traffic will be addressed as well as the rights of the users on the system. Are users allowed to use Internet chat programs? Are they allowed to install their own applications on company computers and resources? Each organization will have a different security policy based on what it believes are the most important aspects of information security at that organization.

Data Classification Standard

The data classification standard defines the type of information processed within the organization and associates a classification level with each one. This standard becomes personalized during the new hire process as the employee becomes educated on the information classifications that directly impact their job responsibilities, as well as the other information classifications within the organization that may not impact their job. New employees have the ability to ask questions at this stage, before employment has officially begun, so that there are no misunderstandings once they begin working.

Account Request and Tracking

Hiring managers are directly responsible for the system access given to new employees. These accounts should be requested directly by the hiring manager and tracked as the employee moves from job to job within the organization. Managers use the concepts of least privilege and separation of duties to determine the actual accesses needed to various information systems.

As part of the tracking process, it is wise to implement a paper trail for all requested accounts and access privileges. These documents should be initiated when the account is requested. Managers sign for the appropriate level of access. All access upgrades to the system are also tracked on these forms. It is very important for these forms to remain current and up-to-date. When an employee leaves the organization, these forms are used to remove all the accounts and access the user had to the system.

Termination Policies

Termination policies provide a guidebook for out-processing employees who are moving on to other companies or organizations. These are based on the security policies for the organization and provide methods for closing out user accounts, administrative accounts, collecting physical access cards or keys, and reminding the employee of the employment agreement and non-disclosure agreements (NDAs) that were signed when they came on board. These policies provide a way to safeguard sensitive organization information by completely removing all access the employee may have obtained while working there and reiterating the legal obligation the employee has to remain silent about proprietary business processes, procedures, products, research, and customers.


Previous page
Table of content
Next page
SSCP Systems Security Certified Practitioner Study Guide
SSCP Study Guide and DVD Training System
ISBN: 1931836809
EAN: 2147483647
Year: 2003
Pages: 135
Authors: Jeffrey Posulns, Robert J. Shimonski, Jeremy Faircloth
BUY ON AMAZON
Project Management JumpStart
Identifying and Managing Project Risk: Essential Tools for Failure-Proofing Your Project
MySQL Clustering
Postfix: The Definitive Guide
Visual Studio Tools for Office(c) Using C# with Excel, Word, Outlook, and InfoPath
Cultural Imperative: Global Trends in the 21st Century
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy