The security of any solution is as good as the weakest link. Most of the time humans who interact with the solution is the weakest link. Regardless of the security controls applied in the solution, be it physical or logical, people always try to find a way to avoid, circumvent, subvert or disable them. Humans perceive these controls as obstacles that hinder progress in their day to day activities. Architects of any solutions that apply security controls should consider the humanity of the users who would be interacting with the solution or the environment where the solution will reside. (Stewart, Tittel, & Chapple, CISSP®: Certified Information Systems Security Professional Study Guide, Fifth Edition, 2011) This paper focusses on the employment policies and procedures, and how they impact information security program of an enterprise.
The paper discusses:
- The need to develop employment policies to support an information security program.
- How an acceptable use policy based on a code of conduct and underpinned by an established ethical standard would support an information security program.
- The aspects of social psychology that can be used to develop policies, standards, and procedures in a firm.
- The techniques that can be leveraged from social psychology to improve the acceptance of the policies, standards, and procedures.
- Selected recommendations on the steps that can be taken to improve the reception of these most important documents throughout your organization.
Since the development, deployment and ongoing administration of any solution involves humans, there is always a chance for issues, problems, and compromises to occur at all stages of a security solutions development. Therefore, an information security program should evaluate the effect of users, designers, programmers, developers, and managers of the system.
Hiring new personnel to the organization involves several important steps which include creating a job description, setting a classification for the job, screening candidates, and hiring and training the best suited for the job. (Stewart, Tittel, & Chapple, 2011)
The enterprise should have a hiring process whether a prospective employee is trustworthy and can protect the data person is entrusted with. The job description is critical when the person handles sensitive information of the firm. Sensitive information could be any data that is not available to the public. The job description should clearly define the separation of duties, the job responsibilities and the need for job rotations if the person were handling such data.
Separation of Duties. Separation of duties is the security concept in which critical, significant, and sensitive work tasks are divided among several individual administrators or high-level operators. (Stewart, Tittel, & Chapple, 2011) The application of separation of duties in a personnel’s job helps to prevent the individual from undermining or subverting important security mechanisms in the enterprise. When applying separation of duties in the position of an administrator, the principle of least privilege is essentially in effect. The administrator could only see the data that the person needs to see and could only execute a job that he could perform. Separation of duties would help to protect against any collusion, where two or more people could participate in negative activities such as fraud, theft, or espionage.
Job Responsibilities. Job responsibilities are the specific work tasks a personnel is required to perform on a regular basis. The responsibilities may need access to various objects, resources, and services that handle sensitive information. Staff access to such data should be governed by the information security policies and standard. The policies and standard should require the personnel to use multi-factor authentication for any privileged access to sensitive information and should enforce the principle of least privilege when authorizing access to such data.
Job Rotation. Job rotation is the concept where employees are rotated among numerous job positions. The job rotation helps to have knowledge redundancy within the employees enabling any rotated employee to perform a task even if others are not available. The company will likely not experience serious downtime or loss of productivity due to illness or other incidents that would keep an employee away from work. The job rotation also helps to reduce fraud, data modification, theft, sabotage, and misuse of information as the window of opportunity to perform such illegal activity is small on each job.
Screening and Background Checks
Candidates for a specific position should be screened based on the sensitivity and classification defined by the job description. The degree of harm that could be caused by accidental or intentional violations of security by a person in a job determines the sensitivity and classification of the position. An enterprise should include background checks and security clearances as necessary steps in establishing that a candidate is qualified, trustworthy, and meets the requirement for the position that handles sensitive data. The process of background checks includes – (1) obtaining the candidate’s work and educational history, (2) verifying references, (3) interviewing colleagues, neighbors, and friends, (4) verifying police and government records for arrests or illegal activities, (5) checking identity through fingerprints, driver’s license, and birth certificate, and (6) interviewing the candidate in-person. Sometimes, the process could include a polygraph test, drug testing, and personality evaluation. The author has also seen some employers perform online background checks and review of social networking accounts of applicants as a standard practice. However, the author cannot comment if it is legal in all jurisdiction as the author is not an attorney.
Every employer should have new hires to sign an employment agreement that outlines rules and restrictions of the organization, the security policy, the acceptable use and activities policies, details of the job description, violations and consequences, and the length of time the position is to be filled by the employee. It should be used to verify that the prospective employee has read and understood the associated documentation for their job position.
In addition to employment agreements, employers should require all prospective employees to sign a nondisclosure agreement (NDA). An NDA is a security related documentation that helps to protect unauthorized disclosure of confidential information from the organization by the employee. Some enterprises, which relies heavily on the intellectual property it develops or maintains, require employees to sign a non-compete agreement (NCA) preventing the employee from working in a competing organization for a certain time after they leave the company. The goal of the NCA is to allow the original company to maintain its competitive edge by keeping its human resources working for its benefit rather than against it. Enterprise should be careful in preparing an NCA as it could be challenged in some jurisdictions and may also deter some skilled workers away.
Though not always possible, the employer should always try to have an exit interview with the employee towards the end of the employment. The exit interview helps the employer review the liabilities and restrictions placed on the employee based on the employment agreement, nondisclosure agreement, and other security-related documentation. The employer should also ensure all access to its resources is revoked and its physical and logical assets are returned by the end of the employment.
Acceptable Use Policies
The Acceptable Use Policy (AUP) tell employees how to use its IT resources appropriately. The enterprise should consider drafting the AUP keeping in mind that IT resources are valuable business assets and are often expensive to procure and maintain. These business assets may also contain sensitive information that’s valuable to the enterprise. (Grama, 2010)
The company provides employees access to the IT resources to meet its business goals. Such access includes system access, corporate-owned laptops and mobile devices, employee e-mail accounts, and Internet access. Though these resources are issued for business purposes, there is always an opportunity for them to be used outside of work. Employees may use these resources in many non-business ways. Some of these uses include:
- Exchanging personal e-mails using work e-mail address.
- Unsolicited and hoax e-mail messages sent around the office
- Use of Internet for non-business purposes.
- Online shopping.
- Employee access to social media during work hours.
- Downloading unlicensed software for non-business use.
- File sharing throughout a workplace or over the Internet
Impact. Unacceptable use of an organization’s IT resources can be costly. It can result in information security compromises, introduce malware onto IT systems, lead to reduced productivity due to distracted employees, and could make the organization legally responsible for an employee’s misuse of IT resources.
Code of Conduct. A well-developed AUP can avert some of these issues. It states a code of conduct, permitted uses of IT resources, lists prohibited actions, and the consequences for violating the acceptable use rules. The AUP is one of the most important information security policy documents and should be leveraged to reduce harm to an organization.
Ethical Standards. In addition to AUP, the company should have a code of conduct established to ensure everyone follows an acceptable behavior in the workplace. The code of conduct, when coupled with the AUP, helps to prevent disruptive employees create negative work environments that may lead to unhealthy consequences for other employees and overall reduced productivity.
The greatest information security danger to any organization is not a process, technology, or equipment; rather, it is the people who work within the “system” that hide the inherent danger. Understanding psychology can produce information security and awareness programs that are more personal, relevant, and persuasive. Ultimately, knowing, understanding, and applying what we know about the engines of personal behavior will allow us to implement the programs. (Chun, 2011)
The enterprise needs to understand people’s attitude which is critical in determining the best approach for the acceptance of policies and practices. Attitude is the positive or negative response of the people to something,
Predictor of behavior. If the company can determine the target population’s attitudes toward information security issues such as privacy and confidentially, the company can use that information to predict how secure its environment will be.
Targets of change. If the company can subtly or directly change someone’s attitude, it can consequently change the behavior of its employees. Often it is easier to change people behavior through an attitude shift than to change behavior directly.
The company could use the Tripartite Model, also known as the ABC Model, to determine its employees’ attitude. It can be assessed using three components: affect, behavior, and cognition.
Affect. The affective component which is an important element in determining attitude helps to find out people’s feeling towards an object or subject. People are more likely to participate and do things that make them feel happy or good. (Chun, 2011)
Behavior. The behavior component is based on the fact that people tend to like something that they are already doing. (Stephenson, 2009) A good example is when people are forced to change their network password every 90 days. Initially, people may dislike the routine. However, they seem to like it when they are used to it.
Cognitive. The cognitive component is the thoughtful and thinking aspect of our attitudes. People’s opinions toward an object or subject can be developed based solely on insightful and process-based thinking. (Stephenson, 2009) That is probably the reason why TV commercials are different on weekends than those during the weekdays.
By understanding what employee attitudes are and how they are structured, the enterprise can get valuable clues into how to tailor its information security policies and practices to have more impact on its employees. Some of them are:
- Reciprocity: The enterprise could use natural need to reciprocate by offering inexpensive “favors” or “gifts” as part of the security awareness program.
- Cognitive Dissonance: By making information security requirements mandatory and consistent, the enterprise will find that over the long-term, user dissatisfaction towards a security element will wane and positive attitude change toward the program may occur as a result of cognitive dissonance. (Chun, 2011)
- Diffusion of Responsibility: The security awareness program should help to make every employee understand that information security is everyone’s problem. It should describe how the information security program is of practical importance to the organization’s interests, operation, and security.
- Individualization: Describe how the security awareness program is intended to be relevant to the employee on a personal level. Help the employee understand the personal benefits when the employer is secure and how the knowledge benefits beyond their work.
- Group Polarization: The enterprise should ensure the group dynamics of its employee is steered to a positive attitude towards information security.
- Obedience to Authority: The enterprise would have better success in implementing its policies, standards, and procedures if they are blessed and communicated from the executive office.
- Familiarity and Repeated Exposure: Even if there is initial resistance to a program or procedure, the enterprise should ensure that employees have repeated exposure to the various components, policies, and rationales for the program. The repeated exposure will help in changing end-user attitudes.
The employment policies of an enterprise should support the information security program of the enterprise. It should be based on a code of conduct laid out by the enterprise underpinned by an established ethical standard throughout the firm. The policies, standards, and procedures for information security program as well as human resource management could be more acceptable to the employees if they are based on social psychology and some of the methods outlined in the recommendations.
- Architect, C. (2016, December 19). Executive Director. (S. Abdul Jabbar, Interviewer)
- Francis, R. (2017, March 27). 7 tips for better security awareness training sessions. Retrieved from csoonline.com: http://www.csoonline.com/article/3154760/social-engineering/7-tips-for-better-security-awareness-training-sessions.html
- Chun, S (2011). The ABCs of a Persuasive Security Awareness Program. (2011). Retrieved from http://www.infosectoday.com/Articles/Persuasive_Security_Awareness_Program.htm
- Grama, J. L. (2010). Legal Issues in Information Security. Sudbury: Jones & Bartlett Learning.
- Peltier, J., & Peltier, T. (2004). Complete Guide to CISM Certification. Taylor & Francis Group.
- Santa Clara University. (2015, August 1). A framework for ethical decision making. Retrieved from scu.edu: https://www.scu.edu/ethics/ethics-resources/ethical-decision-making/a-framework-for-ethical-decision-making/
- Shimeall, T. J., & Spring, J. M. (2014). Introduction to Information Security. Waltham: Syngress.
- Stephenson, P. (2009). Information Security Essentials. Auerbach Publishing.
- Stewart, J. M., Tittel, E., & Chapple, M. (2011). CISSP®: Certified Information Systems Security Professional Study Guide, Fifth Edition. Indianapolis: Wiley Publishing, Inc.
- UC San Diego. (2016, May 4). Making ethical decisions: process. Retrieved from blink.ucsd.edu: https://blink.ucsd.edu/finance/accountability/ethics/process.html
- Virtru. (2015, June 12). 6 Common ways employees compromise enterprise data security (and what you can do about it). Retrieved from virtru.com: https://www.virtru.com/blog/enterprise-data-security/
- Whitman, M. E., & Mattord, H. J. (2016). Principles of Information Security. Boston: Cengage Learning.