organization's personnel are different from its other
assets. Personnel assets require careful handling and
two levels of security. by Avinash Kadam
my last article 'Asset Classification and Control,'
readers may have noticed the absence of human assets.
When handling information, the personnel are the most
critical element. Personnel are responsible for creating
and handling the information assets. They are the end
users of the information, as well as custodians of these
assets. In brief, they are themselves the most critical
asset who handle the information assets of the company.
Unlike all the other assets, they can be sentimental,
temperamental, emotional or just plain ornery. Those
very human characteristics need very careful handling.
We need to have two levels of security for handling
the personnel assets:
Identification and classification of personnel as
per the asset classification and control scheme.
Specifications of roles and responsibilities: Personnel
are the creators, custodians and destroyers of assets.
For these three incarnations, we need to specify roles
and responsibilities, dos and don'ts, training
and education, and finally the disciplinary processes.
Personnel asset classification and identification
The human resources department is responsible for personnel
screening. This involves obtaining satisfactory character
reference, one business and one personal, also confirmation
of 'claimed' academic and professional qualifications
and identity checks. While doing these routine checkups,
an additional factor is to identify the access level
the employee will have to information. If the employee
has to handle information of a classified nature, the
background check should be more stringent.
Since the nature of this responsibility as well as the
personal circumstances keep on changing during the job,
the background check will have to be repeated periodically
and not end with the checkup done once at the entry
level alone. As per the annual Computer Crime and Security
Survey conducted by Computer Security Institute (CSI)
and Federal Bureau of Investigation (FBI), the second
most likely source of attack on information system is
disgruntled employees, the first source being independent
hackers. An employee has intimate knowledge of the internal
systems and an attack from an insider would be much
more damaging. Periodic screening of the old employees
thus assumes more importance.
If an organization employs contractors and temporary
staff, the same level of checking needs to be done for
all such staff. If the organization is not in a position
to do this checking by itself, it will have to ensure
that the external agency providing the staffing service
does the check up and takes up responsibility.
The human asset classification involves granting clearance
levels to handle information assets. The classification
should not be done merely to reflect the organizational
chart but should be decided based on organizational
needs and segregation of duties, which could be implemented
without compromising efficiency.
The clearance level could indicate the classification
level of information that a person is allowed to access.
Access to information may be for reading, writing or
modifying, storing or retrieving and finally disposing
or destroying. For example, a computer operator may
have access to information only for taking backup but
not for reading or modification. If the current IT technology
makes the implementation of such access rights difficult,
(the software or the hardware may not support it), they
should be implemented defining appropriate procedures
as well as segregation of duties.
Defining security as part of job responsibilities
Keen awareness of security is possible only when it
is defined clearly as part of job responsibility. This
should include responsibility of maintaining the security
policy of the company, as well as specific responsibilities
for the protection of specific assets or security processes
Thus a computer programmer's job description should
mention his or her responsibilities about creating a
program with security specifications in mind. This will
be a new angle as the programmers are usually concerned
about functional specifications and not security specifications.
This lapse has given rise to most of the security breaches,
which exploit bad programming practices like not testing
the programs for buffer overflow conditions. A hacker
is able to crash a computer by feeding input data, which
causes the buffer overflow.
Terms and conditions of employment
Terms and conditions of employment should have explicit
mention of the employee's responsibility for information
security. All the applicable laws related to information
security should be considered while drafting the employment
contract. The terms of the contract should extend outside
the organization's premises and outside the normal working
hours, and should cover the period after the end of
employment. This means that the information acquired
by employees during their employment period should not
be used by them at the end of employment, at least for
a predefined period.
If all this looks too one-sided, consider the recent
judgment passed by the State of California, USA. "Over
strenuous objections from the business lobby, on Sept.
26, 2002, California enacted a sweeping measure that
mandates public disclosure of computer-security breaches
in which confidential information may have been compromised.
The law covers not just state agencies but private enterprises
doing business in California. From July 1, 2003, those
who fail to disclose that a breach has occurred could
be liable for civil damages or face class actions."
(Business Week Online, November 11, 2002)
Responsibility for information is getting defined with
every such judgment and we will see more stringent measures
The strict measures for information security could only
be implemented with confidentiality and non-disclosure
agreements signed with employees, casual staff and even
third-party users. These agreements should be reviewed
whenever there is a change of status like an employee
leaving the organization or a contract coming to an
Information security education and training
Ignorance of law is unpardonable, similarly you cannot
be pardoned for 'ignorance of information security'
to justify inaction. An organization is expected to
take all necessary measures to appropriately train its
employees as well as third party users about information
security policies and procedures adapted by the organization.
The training could be customized for the needs and responsibilities
of the staff. It should include:
An information security awareness program for the
top management which should educate them about the
importance of information security and the measures
adapted by the organization to achieve the security
Merely issuing the security policy is not enough.
A security awareness program customized for the end
user should be designed. Every security measure will
be viewed as an impediment in the way of efficiency
by the end users. Unless the training program explains
the cause and effect of every security requirement,
the end user may spend their creative intelligence
on devising clever tricks to circumvent the security
Availability of Internet and email facilities at the
work place is taken for granted today. Security training
to educate everybody about the legal responsibilities
and correct use of information processing facilities
is necessary before access to information or services
Specific training on how to identify social engineering
attempts and thwart them could be the single most
important security measure.
Responding to security incidents and malfunctions
Only alert and responsive personnel could take most
important preventive and detective security actions
by quickly responding to the security incidents and
malfunctions. Employees should be especially encouraged
to report any security incident immediately. A formal
but easy procedure should be established. A feedback
process should be implemented so that the actions taken
can be reported back to demonstrate the commitment towards
security. The incidents could be used as examples during
the user training programs.
Reporting security weaknesses
Users should be encouraged to report any observed or
suspected security weakness to the appropriate authority.
At the same time, users should also be educated not
to become self-appointed detectives to discover security
weaknesses in the system. This may be interpreted as
an attempt to breach security. With easy availability
of vulnerability assessment tools and also well-publicized
security flaws, this may be a temptation, especially
to the technical staff. They should be encouraged to
join the security teams in official capacity, if they
have the time and inclination towards such work.
Reporting software malfunctions
Similar to reporting security weaknesses, the software
malfunctions should also be immediately reported and
immediate actions should be taken to contain the malfunctioning
software from affecting other systems.
Learning from incidents
There should be a strong process for learning from the
incidents. Each incident should be analyzed to identify
the root cause and reason for failure of the controls.
Based on this analysis, a decision may be necessary
to provide additional controls or enhance the existing
controls. The cost of each incident should be calculated.
This will be required while justifying additional controls
as well as review of security policy and procedures.
A security policy without a well-defined disciplinary
process is like having a toothless dog to guard your
property. The barking alone is not enough to deter the
miscreants, there has to be a threat of being bitten
Since we are dealing with the most critical asset, i.e.
personnel, we have to be careful when framing a disciplinary
policy for the organization. The process should be correct,
fair and adequate. Legal as well as HR departments should
be involved while designing the process.
The process should be based on identifying the impact
of security lapse. This is similar to the risk assessment
while selecting the controls. The disciplinary action
should punish the behavior, which exposes the organization
to risk. Higher the risk, more severe should be the
punishment. Thus, using weak passwords for accessing
personal e-mail may not be a very risky behavior, but
using the same password for accessing a financial database
is definitely a risky behavior. Accessing the Internet
for searching business information may not be considered
risky behavior, but visiting sites, which are of dubious
nature, may be a very risky behavior.
It is necessary to clearly identify the behavior, which
is punishable by disciplinary action, and convey the
same through a security policy, as well as awareness
Implementation of the disciplinary process is not a
very easy task. A step-by-step procedure may be designed.
The first step will be to create awareness about the
disciplinary process. During this phase, only verbal
warnings should be issued to the defaulters. The next
phase would be to create 'painful' awareness, by issuing
written warnings to defaulters. The last phase could
be the punishment phase. The punishment should be commensurate
with the offence as well as persistence of the crime
and may range from loss of pay to loss of job.
Kadam is Chief Executive - Assurance and Training at
Miel e-Security, Pvt. Ltd. He can be reached at firstname.lastname@example.org