Personnel Policies

Policies

• Policies form the foundation of any security program.

• Policies define:

  • How IT will approach security.

  • How users approach security.

  • How certain situations will be handled.

Policy Document Types

• Policies - General management rules.

• Standards - Specific mandatory controls (based on a given policy).

• Guidelines - Recommendation or good practices.

• Procedures - Instructions on how to implement a policy or standard.

Policy Elements

• Overview

• Purpose

• Scope

• Target Audience

• Definitions

• Version

• Implementation Date

• Compliance / Exceptions

• Policy Statements

Common Policies

• Acceptable Use Policy (AUP)

• Access Policy

• Authentication Policy

• Backup & Recovery Policy

• Data Classification Policy

• Email/Messaging Policy

• Social Media Policy

• Physical Security Policy

• Physical Security Policy

• Incident Response Policy

• Mobile Device Policy

• Network Security Policy

  • Wireless Policy

  • Remote Access Policy

Policies should be short.

Standard Operating Procedure (SOP)

• Standard set of instructions for workers to carry out routine operations.

• Aim to achieve efficiency and consistent output.

Agreement Types

• Non-Disclosure Agreement (NDA)

  • Protects against sensitive information disclosure.

• Business Partner Agreements (BPAs)

  • Specifies partner financial and fiduciary responsibilities (profit sharing).

• Service-Level Agreements (SLAs)

  • Specifies nature and level of service by a provider (uptime).

• Memorandum of Understanding (MOU) and Memorandum of Agreement (MOA)

  • Outlines the terms and details of an agreement.

  • An agreement between two or more parties where the parties cannot create a legally enforceable agreement.

  • ​https://csrc.nist.gov/publications/detail/sp/800-47/final​

• Interconnection Security Agreement (ISA)

Personnel Management

• Mandatory Vacations

• Job Rotation

• Separation of Duties

• Clean Desk

• Role-based awareness training based on job responsibilities.

• Continuing Education

Separation of Duties

• When user accounts are created by one employee and user permissions are configured by another employee.

• An admin who is responsible for creating user account should not have the authorization to configure the permissions associated with the account.

• Requires more than one individual to accomplish a critical task.

• Ensures that no individual can compromise a system.

• Considered valuable in deterring fraud.

• Can be static or dynamic.

  • Static: refers tot eh assignment of individuals to roles and the allocation of transactions to roles.

    • An individual can be either an initiator of the transaction or the authorizor of a transaction.

  • Dynamic: An individual can initiate as well as authorize transactions.

Change Management

• Change management stipulates that multiple changes to a computer system should not be made at the same time.

• This makes tracking any problems that can occur much simpler.

• Change management includes the following rules:

  • Distinguish between your system types.

  • Document your change process.

  • Develop your changes based on the current configuration.

  • Always test your changes.

  • Do not make more than one change at a time.

  • Document your fallback plan.

  • Assign a person whoi is responsible for change management.

  • Regularly report on the status of change management.