Personnel Policies


  • Policies form the foundation of any security program.

  • Policies define:

    • How IT will approach security.

    • How users approach security.

    • How certain situations will be handled.

Policy Document Types

  • Policies - General management rules.

  • Standards - Specific mandatory controls (based on a given policy).

  • Guidelines - Recommendation or good practices.

  • Procedures - Instructions on how to implement a policy or standard.

Policy Elements

  • Overview

  • Purpose

  • Scope

  • Target Audience

  • Definitions

  • Version

  • Implementation Date

  • Compliance / Exceptions

  • Policy Statements

Common Policies

  • Acceptable Use Policy (AUP)

  • Access Policy

  • Authentication Policy

  • Backup & Recovery Policy

  • Data Classification Policy

  • Email/Messaging Policy

  • Social Media Policy

  • Physical Security Policy

  • Physical Security Policy

  • Incident Response Policy

  • Mobile Device Policy

  • Network Security Policy

    • Wireless Policy

    • Remote Access Policy

Policies should be short.

Standard Operating Procedure (SOP)

  • Standard set of instructions for workers to carry out routine operations.

  • Aim to achieve efficiency and consistent output.

Agreement Types

  • Non-Disclosure Agreement (NDA)

    • Protects against sensitive information disclosure.

  • Business Partner Agreements (BPAs)

    • Specifies partner financial and fiduciary responsibilities (profit sharing).

  • Service-Level Agreements (SLAs)

    • Specifies nature and level of service by a provider (uptime).

  • Memorandum of Understanding (MOU) and Memorandum of Agreement (MOA)

  • Interconnection Security Agreement (ISA)

Personnel Management

  • Mandatory Vacations

  • Job Rotation

  • Separation of Duties

  • Clean Desk

  • Role-based awareness training based on job responsibilities.

  • Continuing Education

Separation of Duties

  • When user accounts are created by one employee and user permissions are configured by another employee.

  • An admin who is responsible for creating user account should not have the authorization to configure the permissions associated with the account.

  • Requires more than one individual to accomplish a critical task.

  • Ensures that no individual can compromise a system.

  • Considered valuable in deterring fraud.

  • Can be static or dynamic.

    • Static: refers tot eh assignment of individuals to roles and the allocation of transactions to roles.

      • An individual can be either an initiator of the transaction or the authorizor of a transaction.

    • Dynamic: An individual can initiate as well as authorize transactions.

Change Management

  • Change management stipulates that multiple changes to a computer system should not be made at the same time.

  • This makes tracking any problems that can occur much simpler.

  • Change management includes the following rules:

    • Distinguish between your system types.

    • Document your change process.

    • Develop your changes based on the current configuration.

    • Always test your changes.

    • Do not make more than one change at a time.

    • Document your fallback plan.

    • Assign a person whoi is responsible for change management.

    • Regularly report on the status of change management.