By following the common practices laid out in this section, organizations can go a long way toward ensuring good day-to-day security. Because we have identified employees as one group of people who can affect operational security, the following items should be performed before an individual is ever hired. You should validate the job candidate's claims of education and skills, and perform a background check, if needed. You then should hire the individual under a probationary period, specify clearly whether the job candidate has to obtain special qualifications or security clearances for the job, and have him or her sign a noncompete agreement, a nondisclosure agreement, and possibly even a nonsolicitation agreement. These are all steps that should be done before making someone part of the organization's staff. Other operational security controls that can be put in place after someone is hired include instituting a new hire orientation, separation of duties, job rotation, least privilege, mandatory vacations, audit controls, and effective termination practices. Each of these are discussed next.
One great way to make sure your employees know what is expected of them is to perform a new-hire orientation. The goal of this training is to teach your employees established security policies and procedures. The training also informs employees of acceptable use policies (AUPs). Organizations are much better off having each employee actively participate in the security of the organization than having only a few IT security officers.
Other things can be done to keep employees focused on security. Some organizations hand out pens, note pads, or other items that outline a few of the organization's security policies. You might hold a semiannual policy review so that employees can review current policies and receive a signed copy that they have agreed to. Another idea is to send out periodic security-awareness emails or newsletters that reinforce the practices of good security.
Separation of Duties
This term is used to describe the process of dividing duties so that more than one person is required to complete a task. This concept closely ties to the principle of least privilege. As an example, some banks divide the safe combination numbers between two employees. Each employee has three of the six numbers needed to unlock the safe. Without some form of collusion, there is no way one person can obtain access to the safe's contents.
Although it's always nice to have cross-trained employees, job rotation is about more than redundancy and backup. Its primary benefit is that it allows organizations to more easily identify fraudulent activities. For example, if John is stealing money from the company and Steve is rotated into that position, they will need a pretty deep friendship to keep Steve from telling the boss that John is a thief.
Least privilege is another important concept that can go a long way toward achieving the security goals of an organization. Least privilege means that individuals have just enough resources to accomplish their required tasks.
As an example, imagine that your company has just added computer terminals to several of the conference rooms. These have been placed where meeting attendees, consultants, and sales representatives can access product information. Although these computers allow limited Internet access, all other activities are blocked. Services such as network browsing, email, File Transfer Protocol (FTP), and Domain Name Service (DNS) are not available. This reduces the opportunity for resource misuse.
Over time, least privilege can result in authorization creep, in which employees move from job to job and keep picking up more rights and access. The rights and access they no longer need should be removed.
Least privilege is not a concept strictly for individuals. In fact, it is extremely important when looking at privileged applications. All applications and processes should run with the minimum amount of privilege, to avoid further exploitation in case of compromise. A great example of this was IIS. It used to operate with system permission, this was way too much privilege for a web server. This has been corrected since Windows 2003.
Even though everyone thinks it's great that Bob hasn't taken a vacation in 10 years, the fact that the accountant is always at work might be a problem. Bob might not have taken a vacation because he is performing fraudulent activities. By remaining on the job, he is able and available to provide cover for his scheme. Fraudulent activities are much easier to uncover when employees are required to take their vacations. A week provides plenty of time for illicit activities to be discovered.
Termination sometimes is necessary, but many surveys show that it is one of the most disliked tasks managers are required to do. To protect the organization, managers should use standardized termination procedures. This structured process helps ensure that everyone is treated equally and that employees don't have the opportunity to destroy or damage company property. Some prudent steps to incorporate into this procedure include these:
Disabling computer access at the time of notification
Monitoring the employee while he or she packs belongings
Ensuring that at no time the employee is left alone after the termination process
Verifying that the employee returns company identification and any company property, including access tokens and laptops
Escorting the employee from the building
The CISSP Cram Sheet
A Note from Series Editor Ed Tittel
About the Author
We Want to Hear from You!
The CISSP Certification Exam
Access-Control Systems and Methodology
System Architecture and Models
Telecommunications and Network Security
Applications and Systems-Development Security
Business Continuity Planning
Law, Investigations, and Ethics
Practice Exam 1
Answers to Practice Exam 1
Practice Exam 2
Answers to Practice Exam 2