Week 14 - Human Resource Security

Human Resources Security

Security Awareness, Training, and Education

• Standards Reference:

  • ISO 27002: Code of Practice for Information Security Management

  • NIST SP 800-100: Information Security Handbook: A Guide for Managers

Benefits of Security Programs

• Improves employee behavior

• Increases accountability

• Mitigates liability for employee actions

• Ensures compliance with regulations and obligations

Human Factors

• Significance: Employee behavior is crucial for securing systems and information

• Key Problems:

  • Errors and omissions

  • Fraudulent actions

  • Actions by disgruntled employees

Comparative Framework for Awareness, Training, and Education

• Attributes:

  • Awareness: What

  • Training: How

  • Education: Why

• Objectives:

  • Awareness: Recognition

  • Training: Skill

  • Education: Understanding

• Teaching Methods:

  • Awareness: Media like videos, newsletters, posters

  • Training: Practical instruction, cases, hands-on practice

  • Education: Theoretical instruction like seminars and readings

• Evaluation Methods:

  • Awareness: True/false, multiple choice

  • Training: Problem-solving

  • Education: Essay writing

• Impact Timeframes:

  • Awareness: Short term

  • Training: Intermediate

  • Education: Long term

Awareness

• Purpose: Inform employees of security issues and responsibilities

• Importance: Understanding organizational security is vital for well-being

• Engagement: Need management buy-in and enthusiasm

• Tailoring: Programs should fit the organization’s needs

NIST SP 800-100 Insight

• Awareness tools promote information security by identifying threats and vulnerabilities.

• Explains allowed actions and behavioral rules for agency information systems.

Training

• Aim: Teach secure IT-related skills

• Focus for Various Groups:

  • General Users: Best security practices

  • Developers: Foster a security mindset

  • Management: Evaluate risks, costs, and benefits

  • Executives: Understand risk management goals

Education

• Focus: In-depth knowledge for security professionals

• Source: Often from external sources like colleges or specialized programs

Employment Practices

• Management: Personnel with access to sensitive information

• Issues:

  • Employees inadvertently contribute to security violations

  • Forgetting security protocols

  • Knowingly violating procedures

Security in Hiring

• Objective: Ensure suitability of employees to reduce fraud or misuse

• Background Checks:

  • Importance of accurate investigations

  • Enhanced checks for sensitive positions: criminal and credit checks

Employment Agreements

• Must Include:

  • Responsibilities for security

  • Confidentiality agreements

  • Acknowledgment of the organization’s security policy

During Employment

• Objectives: Enhance employee awareness of threats and responsibilities

• Key Elements: Comprehensive security policies and ongoing training

• Principles: Least privilege, separation of duties, limited reliance on key personnel

Termination Security

• Objectives: Manage orderly exit of employees to mitigate risks

• Critical Actions:

  • Remove access privileges

  • Retrieve company property

  • Notify relevant stakeholders

Email and Internet Use Policies

• Importance: Address concerns about non-work use and malware risks

• Suggested Policies:

  • Business use-only

  • Policy scope

  • Content ownership

  • Privacy and conduct standards

  • Prohibited activities

  • Disciplinary measures

Security Incident Response

• Importance: Procedures for controlling incidents are essential

• Benefits: Systematic responses and reduced recovery times

CSIRT: Computer Security Incident Response Team

• Responsibilities:

  • Detecting incidents

  • Minimizing losses

  • Restoring services

Security Incidents Definition

• Definition: Any action that threatens confidentiality, integrity, availability, etc.

• Examples: Unauthorized access, information modification

Security Incident Terminology

• Artifact: Any file/object involved in security breaches

• CSIRT: Team for responding to security incidents

• Incident: Violation of security policies

• Triage: Initial sorting of incident information

• Vulnerability: Exploit risks in technology

Incident Detection

• Encouragement: Report anomalies

• Tools: Use of automated tools like IDS and log analyzers

Triage Function

• Goal: Centralize incident information for effective response

Incident Response Procedures

• Importance: Essential to document response actions and identify causes for recovery

Incident Handling Life Cycle

• Overview: Information flow during incident management

Documenting Incidents

• Importance: Post-incident documentation for future prevention

Information Flow to/from Incident Handling Service

• Examples: Announcements and how information flows within and outside

Summary of Key Topics

• Security awareness, training, and education

• Employment practices

• Email and internet usage policies

• CSIRT functions

Copyright Information

• Protected work, dissemination restrictions apply.

Human Resources Security

Security Awareness, Training, and Education

• Standards Reference:

  • ISO 27002: Code of Practice for Information Security Management

  • NIST SP 800-100: Information Security Handbook: A Guide for Managers

Benefits of Security Programs

• Improves employee behavior

• Increases accountability

• Mitigates liability for employee actions

• Ensures compliance with regulations and obligations

Human Factors

• Significance: Employee behavior is crucial for securing systems and information

• Key Problems:

  • Errors and omissions

  • Fraudulent actions

  • Actions by disgruntled employees

Comparative Framework for Awareness, Training, and Education

• Attributes:

  • Awareness: What

  • Training: How

  • Education: Why

• Objectives:

  • Awareness: Recognition

  • Training: Skill

  • Education: Understanding

• Teaching Methods:

  • Awareness: Media like videos, newsletters, posters

  • Training: Practical instruction, cases, hands-on practice

  • Education: Theoretical instruction like seminars and readings

• Evaluation Methods:

  • Awareness: True/false, multiple choice

  • Training: Problem-solving

  • Education: Essay writing

• Impact Timeframes:

  • Awareness: Short term

  • Training: Intermediate

  • Education: Long term

Awareness

• Purpose: Inform employees of security issues and responsibilities

• Importance: Understanding organizational security is vital for well-being

• Engagement: Need management buy-in and enthusiasm

• Tailoring: Programs should fit the organization’s needs

NIST SP 800-100 Insight

• Awareness tools promote information security by identifying threats and vulnerabilities.

• Explains allowed actions and behavioral rules for agency information systems.

Training

• Aim: Teach secure IT-related skills

• Focus for Various Groups:

  • General Users: Best security practices

  • Developers: Foster a security mindset

  • Management: Evaluate risks, costs, and benefits

  • Executives: Understand risk management goals

Education

• Focus: In-depth knowledge for security professionals

• Source: Often from external sources like colleges or specialized programs

Employment Practices

• Management: Personnel with access to sensitive information

• Issues:

  • Employees inadvertently contribute to security violations

  • Forgetting security protocols

  • Knowingly violating procedures

Security in Hiring

• Objective: Ensure suitability of employees to reduce fraud or misuse

• Background Checks:

  • Importance of accurate investigations

  • Enhanced checks for sensitive positions: criminal and credit checks

Employment Agreements

• Must Include:

  • Responsibilities for security

  • Confidentiality agreements

  • Acknowledgment of the organization’s security policy

During Employment

• Objectives: Enhance employee awareness of threats and responsibilities

• Key Elements: Comprehensive security policies and ongoing training

• Principles: Least privilege, separation of duties, limited reliance on key personnel

Termination Security

• Objectives: Manage orderly exit of employees to mitigate risks

• Critical Actions:

  • Remove access privileges

  • Retrieve company property

  • Notify relevant stakeholders

Email and Internet Use Policies

• Importance: Address concerns about non-work use and malware risks

• Suggested Policies:

  • Business use-only

  • Policy scope

  • Content ownership

  • Privacy and conduct standards

  • Prohibited activities

  • Disciplinary measures

Security Incident Response

• Importance: Procedures for controlling incidents are essential

• Benefits: Systematic responses and reduced recovery times

CSIRT: Computer Security Incident Response Team

• Responsibilities:

  • Detecting incidents

  • Minimizing losses

  • Restoring services

Security Incidents Definition

• Definition: Any action that threatens confidentiality, integrity, availability, etc.

• Examples: Unauthorized access, information modification

Security Incident Terminology

• Artifact: Any file/object involved in security breaches

• CSIRT: Team for responding to security incidents

• Incident: Violation of security policies

• Triage: Initial sorting of incident information

• Vulnerability: Exploit risks in technology

Incident Detection

• Encouragement: Report anomalies

• Tools: Use of automated tools like IDS and log analyzers

Triage Function

• Goal: Centralize incident information for effective response

Incident Response Procedures

• Importance: Essential to document response actions and identify causes for recovery

Incident Handling Life Cycle

• Overview: Information flow during incident management

Documenting Incidents

• Importance: Post-incident documentation for future prevention

Information Flow to/from Incident Handling Service

• Examples: Announcements and how information flows within and outside

Summary of Key Topics

• Security awareness, training, and education

• Employment practices

• Email and internet usage policies

• CSIRT functions

Copyright Information

• Protected work, dissemination restrictions apply.