Nada G.Youssef, profile picture
Uploaded byNada G.Youssef
PPTX, PDF1,441 views

Chapter 6: Human Resources Security

This chapter discusses the importance of integrating information security practices into human resources processes. It outlines the typical stages of an employee lifecycle from recruitment to termination and describes how security is relevant at each stage. This includes conducting background checks on candidates, requiring security training and agreements for new hires, and removing access when employees leave. The goal is to mitigate risks from both internal actors like employees and contractors as well as external threats like social engineering.

Embed presentation

Downloaded 69 times
Security Program and Policies Principles and Practices by Sari Stern Greene Chapter 6: Human Resources Security
Copyright 2014 Pearson Education, Inc. 2 Objectives ❑ Define the relationship between information security and personnel practices ❑ Recognize the stages of the employee lifecycle ❑ Describe the purpose of confidentiality and acceptable use agreements ❑ Understand appropriate security education, training, and awareness programs ❑ Create personnel-related security policies and procedures
The Employee Lifecycle ■ Represents stages in the employee’s career ■ Lifecycle models can vary but most include the following stages ❑ Recruitment ❑ Onboarding ❑ User provisioning ❑ Orientation ❑ Career development ❑ Termination Copyright 2014 Pearson Education, Inc. 3
Copyright 2014 Pearson Education, Inc. 4 What Does Recruitment Have to Do with Security? ❑ Risks and rewards of posting online employment ads: ■ A company can reach a wider audience ■ A company can publish an ad that gives too much information: ❑ About the network infrastructure and therefore allow a hacker to footprint the internal network easily and stealthily ❑ About the company itself, inviting social engineering attacks
Copyright 2014 Pearson Education, Inc. 5 Job Postings ■ Job descriptions are supposed to: ❑ Convey the mission of the organization ❑ Describe the position in general terms ❑ Outline the responsibilities attached to said position ❑ Outline the company’s commitment to security via the use of such terms as non-disclosure agreement ■ Job descriptions are NOT supposed to: ❑ Include information about specific systems, software versions, security configurations, or access controls ■ It’s harder to hack a network if one doesn’t know what hardware & software ❑ If the above information is deemed necessary, two versions of the position can be created. The second, more detailed version should be posted internally and shared with candidates that have made the “first cut”
Candidate Application Data ■ Companies are responsible for protecting the data and privacy of the job seeker ■ Non-public personal information (NPPI) should not be collected if possible Copyright 2014 Pearson Education, Inc. 6
Copyright 2014 Pearson Education, Inc. 7 The Interview ■ Job Interview: ❑ The interviewer should be concerned about revealing too much about the company during the interview ❑ Job candidates should never gain access to secured areas ❑ A job interview is a perfect foot-printing opportunity for hackers and social engineers
Copyright 2014 Pearson Education, Inc. 8 Screening Prospective Employees ❑ An organization should protect itself by running extensive background checks on potential employees at all levels of the hierarchy ❑ Some higher level positions may require even more in-depth checks ❑ Many U.S. government jobs require prospective employees have the requisite clearance level
Copyright 2014 Pearson Education, Inc. 9 Types of Background Checks ❑ The company should have a basic background check level to which all employees are subjected ❑ Information owners may require more in-depth checks for specific roles ❑ Workers also have a right to privacy: Not all information is fair game to gather – only information relevant to the actual work they perform ❑ Companies should seek consent from employees before launching a background check
Copyright 2014 Pearson Education, Inc. 10 Types of Background Checks Cont. ❑ Educational records fall under FERPA. Schools must first have written authorization before they can provide student-related information ❑ Motor vehicle records fall under DPPA, which means that the DMV – or its employees – are not allowed to disclose information obtained by the department ❑ The FTC allows the use of credit reports prior to hiring employees as long as companies do so in accordance with the Fair Credit Reporting Act
Copyright 2014 Pearson Education, Inc. 11 Types of Background Checks Cont. ❑ Bankruptcies may not be used as the SOLE reason to not hire someone according to Title 11 of the U.S. Bankruptcy Code ❑ Criminal history: The use of this sort of information varies from state to state ❑ Worker’s compensation records: In most states, these records are public records, but their use may not violate the Americans with Disabilities Act
What Happens in the Onboarding Phase? ■ The new hire is added to the organization’s payroll and benefit systems ■ New employees must provide ❑ Proof of identity ❑ Work authorization ❑ Tax identification ■ Two forms that must be completed ❑ Form I-9 ❑ Form W-4 Copyright 2014 Pearson Education, Inc. 12
What Is User Provisioning? ■ The process of: ❑ Creating user accounts and group memberships ❑ Providing company identification ❑ Assigning access rights and permissions ❑ Assigning access devices such as tokens and/or smartcards ■ The user should be provided with and acknowledge the terms and conditions of the Acceptable Use Agreement before being granted access Copyright 2014 Pearson Education, Inc. 13
What Should an Employee Learn During Orientation? ■ His responsibilities ■ Information handling standards and privacy protocols ■ Ask questions Copyright 2014 Pearson Education, Inc. 14
Copyright 2014 Pearson Education, Inc. 15 The Importance of Employee Agreements ❑ Confidentiality or non-disclosure agreements ■ Agreement between employees and organization ■ Defines what information may not be disclosed by employees ■ Goal: To protect sensitive information ■ Especially important in these situations: ❑ When an employee is terminated or leaves ❑ When a third-party contractor was employed
The Importance of Employee Agreements cont. ■ Acceptable Use Agreement ❑ A policy contract between the company and information systems user ■ Components of an Acceptable Use Agreement ❑ Introduction ❑ Data classifications ❑ Applicable policy statement ❑ Handling standards ❑ Contacts ❑ Sanctions for violations ❑ acknowledgment Copyright 2014 Pearson Education, Inc. 16
Copyright 2014 Pearson Education, Inc. 17 The Importance of Security Education and Training ■ Training employees ❑ According to NIST: “Federal agencies […] cannot protect […] information […] without ensuring that all people involved […]: ■ Understand their role and responsibilities related to the organization’s mission ■ Understand the organization’s IT security policy, procedures and practices ■ Have at least adequate knowledge of the various management, operational and technical controls required and available to protect the IT resources for which they are responsible”
Copyright 2014 Pearson Education, Inc. 18 The Importance of Security Education and Training cont. ■ Hackers adapt: If it is easier to use social engineering – i.e., targeting users – rather than hack a network device, that is the road they will take ■ Only securing network devices and neglecting to train users on information security topics is ignoring half of the threats against the company
Copyright 2014 Pearson Education, Inc. 19 What Is the SETA Model? ■ What is SETA? ❑ Security Education Training and Awareness ❑ Awareness is not training: It is focusing the attention of employees on security topics to change their behavior ❑ Security awareness campaigns should be scheduled regularly ❑ Security training “seeks to teach skills” (per NIST) ❑ Security training should NOT be dispensed only to the technical staff but to all employees
Copyright 2014 Pearson Education, Inc. 20 Summary ❑ A security policy that does not include personnel as a permanent threat to the data owned by the company is incomplete. Social engineering is more virulent than ever. ❑ Failing to train users on security topics is a bad mistake and may result in a lack of compliance for some federal mandates. ❑ All users should sign the Acceptable Use Agreement before receiving access to company’s systems and equipment

More Related Content

PPTX
Chapter 10: Information Systems Acquisition, Development, and Maintenance
byNada G.Youssef
 
PPTX
Human resources security
byCAS
 
PPTX
Chapter 7: Physical & Environmental Security
byNada G.Youssef
 
PPT
Disaster recovery & business continuity
byDhani Ahmad
 
PPTX
Chapter 11: Information Security Incident Management
byNada G.Youssef
 
PPT
Securing Your "Crown Jewels": Do You Have What it Takes?
byIBM Security
 
PDF
Review of network diagram
bySyed Ubaid Ali Jafri
 
PDF
20 IT Auditor questions.pdf
byinfosec train
 
Chapter 10: Information Systems Acquisition, Development, and Maintenance
byNada G.Youssef
 
Human resources security
byCAS
 
Chapter 7: Physical & Environmental Security
byNada G.Youssef
 
Disaster recovery & business continuity
byDhani Ahmad
 
Chapter 11: Information Security Incident Management
byNada G.Youssef
 
Securing Your "Crown Jewels": Do You Have What it Takes?
byIBM Security
 
Review of network diagram
bySyed Ubaid Ali Jafri
 
20 IT Auditor questions.pdf
byinfosec train
 

What's hot

PPTX
Chapter 8: Communications and Operations Security
byNada G.Youssef
 
PDF
Ch07 Managing Risk
byphanleson
 
PPTX
Chapter 14: Regulatory Compliance for the Healthcare Sector
byNada G.Youssef
 
PPTX
Chapter 1: Understanding Policy
byNada G.Youssef
 
PPTX
Chapter 12: Business Continuity Management
byNada G.Youssef
 
PPT
Chapter 3: Information Security Framework
byNada G.Youssef
 
PPTX
Whitman_Ch11.pptx
bySiphamandla9
 
PPT
Security technologies
byDhani Ahmad
 
PPTX
Chapter 5: Asset Management
byNada G.Youssef
 
PPTX
ISO 27001 In The Age Of Privacy
byControlCase
 
PPT
Implementing security
byDhani Ahmad
 
PPTX
Chapter 4: Governance and Risk Management
byNada G.Youssef
 
PDF
Introduction to Information Security
byDumindu Pahalawatta
 
PPT
Information Assurance And Security - Chapter 1 - Lesson 1
byMLG College of Learning, Inc
 
PPTX
Security Information and Event Managemen
byS Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
PPT
Information Security
byDhilsath Fathima
 
PDF
NIST Cybersecurity Framework 101
byErick Kish, U.S. Commercial Service
 
PPTX
NIST CyberSecurity Framework: An Overview
byTandhy Simanjuntak
 
PPTX
Offensive Security basics part 1
bywharpreet
 
PDF
Cybersecurity crisis management a prep guide
byJoAnna Cheshire
 
Chapter 8: Communications and Operations Security
byNada G.Youssef
 
Ch07 Managing Risk
byphanleson
 
Chapter 14: Regulatory Compliance for the Healthcare Sector
byNada G.Youssef
 
Chapter 1: Understanding Policy
byNada G.Youssef
 
Chapter 12: Business Continuity Management
byNada G.Youssef
 
Chapter 3: Information Security Framework
byNada G.Youssef
 
Whitman_Ch11.pptx
bySiphamandla9
 
Security technologies
byDhani Ahmad
 
Chapter 5: Asset Management
byNada G.Youssef
 
ISO 27001 In The Age Of Privacy
byControlCase
 
Implementing security
byDhani Ahmad
 
Chapter 4: Governance and Risk Management
byNada G.Youssef
 
Introduction to Information Security
byDumindu Pahalawatta
 
Information Assurance And Security - Chapter 1 - Lesson 1
byMLG College of Learning, Inc
 
Security Information and Event Managemen
byS Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
Information Security
byDhilsath Fathima
 
NIST Cybersecurity Framework 101
byErick Kish, U.S. Commercial Service
 
NIST CyberSecurity Framework: An Overview
byTandhy Simanjuntak
 
Offensive Security basics part 1
bywharpreet
 
Cybersecurity crisis management a prep guide
byJoAnna Cheshire
 

Similar to Chapter 6: Human Resources Security

DOCX
Security Program and PoliciesPrinciples and Practicesby Sari.docx
bybagotjesusa
 
PPTX
Human Factors_MODULE_2.pptx
byShreeveni
 
PPTX
Pli workplace privacy in the year 2013 2013-6-13
bymkeane
 
PPT
computer security principles and practice - human factor
byAzalikaRf1
 
PPT
Ch14 Policies and Legislation
byInformation Technology
 
PPT
Hrm ethics
bySushil Prajapati
 
PPTX
HRIS Issues
byThu Nandi Nwe
 
PPTX
Digital Literacy Fundamentals Part 2.pptx
byExcellence Foundation for South Sudan
 
DOCX
Project Plan CreationInclude the following components in an M.docx
bybriancrawford30935
 
PDF
Information Security Awareness
byNet at Work
 
PDF
Workplace Privacy
by- Mark - Fullbright
 
PDF
Rothke stimulating your career as an information security professional
byBen Rothke
 
PDF
Hiring Guide to the Information Security Profession
byamiable_indian
 
PDF
Welcome to the Team! Recruiting and Hiring, Including Restrictive Covenants
byFinancial Poise
 
PPTX
Electronic Eavesdropping in the Workplace: Can We? Should We? What Could Poss...
byCase IQ
 
PPTX
Hiring and firing in the digital age
byRobert B. Fitzpatrick, PLLC
 
PDF
Welcome to the Team! Recruiting and Hiring, Including Restrictive Covenants (...
byFinancial Poise
 
PPTX
People are the biggest risk
byEvan Francen
 
PDF
Recruiting and Hiring, Including Restrictive Covenants (Series: Protecting Yo...
byFinancial Poise
 
PPTX
Security Awareness and Training
byPriyank Hada
 
Security Program and PoliciesPrinciples and Practicesby Sari.docx
bybagotjesusa
 
Human Factors_MODULE_2.pptx
byShreeveni
 
Pli workplace privacy in the year 2013 2013-6-13
bymkeane
 
computer security principles and practice - human factor
byAzalikaRf1
 
Ch14 Policies and Legislation
byInformation Technology
 
Hrm ethics
bySushil Prajapati
 
HRIS Issues
byThu Nandi Nwe
 
Digital Literacy Fundamentals Part 2.pptx
byExcellence Foundation for South Sudan
 
Project Plan CreationInclude the following components in an M.docx
bybriancrawford30935
 
Information Security Awareness
byNet at Work
 
Workplace Privacy
by- Mark - Fullbright
 
Rothke stimulating your career as an information security professional
byBen Rothke
 
Hiring Guide to the Information Security Profession
byamiable_indian
 
Welcome to the Team! Recruiting and Hiring, Including Restrictive Covenants
byFinancial Poise
 
Electronic Eavesdropping in the Workplace: Can We? Should We? What Could Poss...
byCase IQ
 
Hiring and firing in the digital age
byRobert B. Fitzpatrick, PLLC
 
Welcome to the Team! Recruiting and Hiring, Including Restrictive Covenants (...
byFinancial Poise
 
People are the biggest risk
byEvan Francen
 
Recruiting and Hiring, Including Restrictive Covenants (Series: Protecting Yo...
byFinancial Poise
 
Security Awareness and Training
byPriyank Hada
 

More from Nada G.Youssef

PPTX
مجلة 1
byNada G.Youssef
 
PPTX
Chapter Tewlve
byNada G.Youssef
 
PPTX
Chapter Eleven
byNada G.Youssef
 
PPTX
Chapter Ten
byNada G.Youssef
 
PPTX
Chapter Nine
byNada G.Youssef
 
PPTX
Chapter Eight
byNada G.Youssef
 
PPTX
Chapter Seven
byNada G.Youssef
 
PPTX
Chapter Six
byNada G.Youssef
 
PPTX
Chapter Five
byNada G.Youssef
 
PPTX
Chapter Four
byNada G.Youssef
 
PPTX
Chapter Three
byNada G.Youssef
 
PPTX
Chapter Two
byNada G.Youssef
 
PPTX
Chapter one
byNada G.Youssef
 
PPTX
Chapter 15: PCI Compliance for Merchants
byNada G.Youssef
 
PPTX
Chapter 13: Regulatory Compliance for Financial Institutions
byNada G.Youssef
 
PPTX
Chapter 9: Access Control Management
byNada G.Youssef
 
PPTX
Chapter 2: Policy Elements and style
byNada G.Youssef
 
PPTX
Preparatory Year of Saudi Electronic University
byNada G.Youssef
 
PPT
Chapter 12
byNada G.Youssef
 
PPTX
Chapter 11
byNada G.Youssef
 
مجلة 1
byNada G.Youssef
 
Chapter Tewlve
byNada G.Youssef
 
Chapter Eleven
byNada G.Youssef
 
Chapter Ten
byNada G.Youssef
 
Chapter Nine
byNada G.Youssef
 
Chapter Eight
byNada G.Youssef
 
Chapter Seven
byNada G.Youssef
 
Chapter Six
byNada G.Youssef
 
Chapter Five
byNada G.Youssef
 
Chapter Four
byNada G.Youssef
 
Chapter Three
byNada G.Youssef
 
Chapter Two
byNada G.Youssef
 
Chapter one
byNada G.Youssef
 
Chapter 15: PCI Compliance for Merchants
byNada G.Youssef
 
Chapter 13: Regulatory Compliance for Financial Institutions
byNada G.Youssef
 
Chapter 9: Access Control Management
byNada G.Youssef
 
Chapter 2: Policy Elements and style
byNada G.Youssef
 
Preparatory Year of Saudi Electronic University
byNada G.Youssef
 
Chapter 12
byNada G.Youssef
 
Chapter 11
byNada G.Youssef
 

Recently uploaded

PPTX
How to Manage Reservation Method in Odoo 18 Inventory
byCeline George
 
PPTX
Methods & Applications of Enzyme Immobilization Technique.pptx
byAnupkumar Sharma
 
PPTX
How to Create_Generate Engineering Change Orders ECOs in Odoo 18
byCeline George
 
PDF
How "Raiders of the Lost Ark" and "Ordinary People" Employ Non-Verbal Acting
by6x5csns4pn
 
PPTX
MEMORY &FORGETTING. Shilpa Hotakar.Psychology pptx
bySHILPA HOTAKAR
 
PPTX
How to perform product search based on a custom field from the Website Shop p...
byCeline George
 
PDF
AI Is a Tool, Not a Voice: Radio, Trust, and the Human Factor
byN.A. Shah Ansari
 
PPTX
How to Change Shipping Label Size in Odoo 18 Inventory
byCeline George
 
PPTX
WEEK 2 (2).pptx TLE COOKERY 10 QUARTER 4
byResynFayeCortez2
 
PPTX
Greengnorance Toolkit Module 2 Energy saving
byKarl Donert
 
PPTX
Q4_PPT MUSIC & ARTS 7 week 1-2, matatag curriculum
byZEN
 
PDF
java full stack programming and interview questions
byrajuashokit
 
PPTX
Greengnorance Toolkit Module 4 Active Mobility and Transport
byKarl Donert
 
PPTX
PRE TERM LABOR ( PREMATURE LABOUR IN PREGNANCY)
byMuthu Kumar
 
PDF
Beyond the Absurd: A Comparative Reading of Waiting for Godot and the Bhagava...
byKruti Vyas
 
PPTX
Greengnorance Toolkit Module1 Climate Change
byKarl Donert
 
PPTX
How to Track & Manage My Time Section in Odoo 18 Time Off
byCeline George
 
PDF
Bones by Sadu Kassam (play) story ppt pdf
byRonnieMaeBorres
 
PPTX
Greengnorance Toolkit Module 5 Waste Management
byKarl Donert
 
PDF
Workshop 29 Crystal Review All Students by YogiGoddess
by©LDMMIA, ©Reiki Yoga
 
How to Manage Reservation Method in Odoo 18 Inventory
byCeline George
 
Methods & Applications of Enzyme Immobilization Technique.pptx
byAnupkumar Sharma
 
How to Create_Generate Engineering Change Orders ECOs in Odoo 18
byCeline George
 
How "Raiders of the Lost Ark" and "Ordinary People" Employ Non-Verbal Acting
by6x5csns4pn
 
MEMORY &FORGETTING. Shilpa Hotakar.Psychology pptx
bySHILPA HOTAKAR
 
How to perform product search based on a custom field from the Website Shop p...
byCeline George
 
AI Is a Tool, Not a Voice: Radio, Trust, and the Human Factor
byN.A. Shah Ansari
 
How to Change Shipping Label Size in Odoo 18 Inventory
byCeline George
 
WEEK 2 (2).pptx TLE COOKERY 10 QUARTER 4
byResynFayeCortez2
 
Greengnorance Toolkit Module 2 Energy saving
byKarl Donert
 
Q4_PPT MUSIC & ARTS 7 week 1-2, matatag curriculum
byZEN
 
java full stack programming and interview questions
byrajuashokit
 
Greengnorance Toolkit Module 4 Active Mobility and Transport
byKarl Donert
 
PRE TERM LABOR ( PREMATURE LABOUR IN PREGNANCY)
byMuthu Kumar
 
Beyond the Absurd: A Comparative Reading of Waiting for Godot and the Bhagava...
byKruti Vyas
 
Greengnorance Toolkit Module1 Climate Change
byKarl Donert
 
How to Track & Manage My Time Section in Odoo 18 Time Off
byCeline George
 
Bones by Sadu Kassam (play) story ppt pdf
byRonnieMaeBorres
 
Greengnorance Toolkit Module 5 Waste Management
byKarl Donert
 
Workshop 29 Crystal Review All Students by YogiGoddess
by©LDMMIA, ©Reiki Yoga
 

Chapter 6: Human Resources Security

  • 1.
    Security Program and Policies Principlesand Practices by Sari Stern Greene Chapter 6: Human Resources Security
  • 2.
    Copyright 2014 PearsonEducation, Inc. 2 Objectives ❑ Define the relationship between information security and personnel practices ❑ Recognize the stages of the employee lifecycle ❑ Describe the purpose of confidentiality and acceptable use agreements ❑ Understand appropriate security education, training, and awareness programs ❑ Create personnel-related security policies and procedures
  • 3.
    The Employee Lifecycle ■Represents stages in the employee’s career ■ Lifecycle models can vary but most include the following stages ❑ Recruitment ❑ Onboarding ❑ User provisioning ❑ Orientation ❑ Career development ❑ Termination Copyright 2014 Pearson Education, Inc. 3
  • 4.
    Copyright 2014 PearsonEducation, Inc. 4 What Does Recruitment Have to Do with Security? ❑ Risks and rewards of posting online employment ads: ■ A company can reach a wider audience ■ A company can publish an ad that gives too much information: ❑ About the network infrastructure and therefore allow a hacker to footprint the internal network easily and stealthily ❑ About the company itself, inviting social engineering attacks
  • 5.
    Copyright 2014 PearsonEducation, Inc. 5 Job Postings ■ Job descriptions are supposed to: ❑ Convey the mission of the organization ❑ Describe the position in general terms ❑ Outline the responsibilities attached to said position ❑ Outline the company’s commitment to security via the use of such terms as non-disclosure agreement ■ Job descriptions are NOT supposed to: ❑ Include information about specific systems, software versions, security configurations, or access controls ■ It’s harder to hack a network if one doesn’t know what hardware & software ❑ If the above information is deemed necessary, two versions of the position can be created. The second, more detailed version should be posted internally and shared with candidates that have made the “first cut”
  • 6.
    Candidate Application Data ■Companies are responsible for protecting the data and privacy of the job seeker ■ Non-public personal information (NPPI) should not be collected if possible Copyright 2014 Pearson Education, Inc. 6
  • 7.
    Copyright 2014 PearsonEducation, Inc. 7 The Interview ■ Job Interview: ❑ The interviewer should be concerned about revealing too much about the company during the interview ❑ Job candidates should never gain access to secured areas ❑ A job interview is a perfect foot-printing opportunity for hackers and social engineers
  • 8.
    Copyright 2014 PearsonEducation, Inc. 8 Screening Prospective Employees ❑ An organization should protect itself by running extensive background checks on potential employees at all levels of the hierarchy ❑ Some higher level positions may require even more in-depth checks ❑ Many U.S. government jobs require prospective employees have the requisite clearance level
  • 9.
    Copyright 2014 PearsonEducation, Inc. 9 Types of Background Checks ❑ The company should have a basic background check level to which all employees are subjected ❑ Information owners may require more in-depth checks for specific roles ❑ Workers also have a right to privacy: Not all information is fair game to gather – only information relevant to the actual work they perform ❑ Companies should seek consent from employees before launching a background check
  • 10.
    Copyright 2014 PearsonEducation, Inc. 10 Types of Background Checks Cont. ❑ Educational records fall under FERPA. Schools must first have written authorization before they can provide student-related information ❑ Motor vehicle records fall under DPPA, which means that the DMV – or its employees – are not allowed to disclose information obtained by the department ❑ The FTC allows the use of credit reports prior to hiring employees as long as companies do so in accordance with the Fair Credit Reporting Act
  • 11.
    Copyright 2014 PearsonEducation, Inc. 11 Types of Background Checks Cont. ❑ Bankruptcies may not be used as the SOLE reason to not hire someone according to Title 11 of the U.S. Bankruptcy Code ❑ Criminal history: The use of this sort of information varies from state to state ❑ Worker’s compensation records: In most states, these records are public records, but their use may not violate the Americans with Disabilities Act
  • 12.
    What Happens inthe Onboarding Phase? ■ The new hire is added to the organization’s payroll and benefit systems ■ New employees must provide ❑ Proof of identity ❑ Work authorization ❑ Tax identification ■ Two forms that must be completed ❑ Form I-9 ❑ Form W-4 Copyright 2014 Pearson Education, Inc. 12
  • 13.
    What Is UserProvisioning? ■ The process of: ❑ Creating user accounts and group memberships ❑ Providing company identification ❑ Assigning access rights and permissions ❑ Assigning access devices such as tokens and/or smartcards ■ The user should be provided with and acknowledge the terms and conditions of the Acceptable Use Agreement before being granted access Copyright 2014 Pearson Education, Inc. 13
  • 14.
    What Should anEmployee Learn During Orientation? ■ His responsibilities ■ Information handling standards and privacy protocols ■ Ask questions Copyright 2014 Pearson Education, Inc. 14
  • 15.
    Copyright 2014 PearsonEducation, Inc. 15 The Importance of Employee Agreements ❑ Confidentiality or non-disclosure agreements ■ Agreement between employees and organization ■ Defines what information may not be disclosed by employees ■ Goal: To protect sensitive information ■ Especially important in these situations: ❑ When an employee is terminated or leaves ❑ When a third-party contractor was employed
  • 16.
    The Importance ofEmployee Agreements cont. ■ Acceptable Use Agreement ❑ A policy contract between the company and information systems user ■ Components of an Acceptable Use Agreement ❑ Introduction ❑ Data classifications ❑ Applicable policy statement ❑ Handling standards ❑ Contacts ❑ Sanctions for violations ❑ acknowledgment Copyright 2014 Pearson Education, Inc. 16
  • 17.
    Copyright 2014 PearsonEducation, Inc. 17 The Importance of Security Education and Training ■ Training employees ❑ According to NIST: “Federal agencies […] cannot protect […] information […] without ensuring that all people involved […]: ■ Understand their role and responsibilities related to the organization’s mission ■ Understand the organization’s IT security policy, procedures and practices ■ Have at least adequate knowledge of the various management, operational and technical controls required and available to protect the IT resources for which they are responsible”
  • 18.
    Copyright 2014 PearsonEducation, Inc. 18 The Importance of Security Education and Training cont. ■ Hackers adapt: If it is easier to use social engineering – i.e., targeting users – rather than hack a network device, that is the road they will take ■ Only securing network devices and neglecting to train users on information security topics is ignoring half of the threats against the company
  • 19.
    Copyright 2014 PearsonEducation, Inc. 19 What Is the SETA Model? ■ What is SETA? ❑ Security Education Training and Awareness ❑ Awareness is not training: It is focusing the attention of employees on security topics to change their behavior ❑ Security awareness campaigns should be scheduled regularly ❑ Security training “seeks to teach skills” (per NIST) ❑ Security training should NOT be dispensed only to the technical staff but to all employees
  • 20.
    Copyright 2014 PearsonEducation, Inc. 20 Summary ❑ A security policy that does not include personnel as a permanent threat to the data owned by the company is incomplete. Social engineering is more virulent than ever. ❑ Failing to train users on security topics is a bad mistake and may result in a lack of compliance for some federal mandates. ❑ All users should sign the Acceptable Use Agreement before receiving access to company’s systems and equipment