1. Home
  2. Training Library
  3. CISSP: Domain 1 - Security and Risk Management - Module 2

Contribute to Personnel Security Policies

Start course

This course is the 2nd of four modules of Domain 1 of the CISSP, covering security and risk management. 

Learning Objectives

The objectives of this course are to provide you with and understanding of:

  • Professional Ethics
  • How to develop and implement documented security policies, standards, procedures, and guidelines and the differences between them
  • The fundamentals of business continuity requirements
  • How to contribute to personnel security policies

Intended Audience

This course is designed for those looking to take the most in-demand information security professional certification currently available, the CISSP.


Any experience relating to information security would be advantageous, but not essential.  All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field.


If you have thoughts or suggestions for this course, please contact Cloud Academy at support@cloudacademy.com.


So we're going to move on to the next section, contributing to personnel security policies, and we're going to be discussing the risks that may derive from human-base sources in this section. So in this module, we're going to discuss candidate screening, various forms of agreements and policies that will be conducted between the employer and the employee, termination processes, the various sorts of roles that we are gonna contend with, the vendor, consultant, or contractor, and we're going to begin addressing the subject of privacy. 

So imagine yourself as a hiring manager. You have a position that needs to be filled and you envision what that is going to involve, what a candidate should have, and you begin the process of putting together a job description, an experience and qualifications profile, which you will then finalize and publish so that you can get candidates. The first thing that you want to do is think about what needs to be accomplished? What sort of qualifications would someone who is going to accomplish those things, what should they have? How long should they have been in this? What kind of maturity do we need? What sort of education? What sort of certifications? All of those questions have to be asked and answered by you as the hiring manager before you put this up. But there are secondary factors that have to be considered as well. 

So job description, we start with that and put as much objective text around that as we can, roles, responsibilities, education, experience, and so on. Then, we want to be sure that when it comes to the experience, we have a way of verifying whatever the candidates are going to claim. So we want to be sure that we have reference text in there. For those especially if it's going to be a very sensitive position or if not sensitive, certainly a critical one to our operation, we may have to do some level of background checking. And then, the objective evidence of their qualifications, education, certifications, and so on. Once we have put our candidates through this initial vetting process, done our interviews, decided on who seems to be the best fit, and made our hiring decisions, we bring that person onboard. 

Then the next step in the process will be conducted. We put them through NEO, New Employee Orientation. And we're going to cover some basic things about it, we're going to talk about the workplace culture, the organization structure, and as we talked about before in this course, the code of ethics that we want them to adopt. We're going to state as clearly and as precisely as possible what the code of conduct is expected to be. We'll describe for them what we consider to be conflicts of interests, how they identify those, how they inform us of those things. And we'll go on to describe various policies about diversity, inclusion, and workplace behaviors. There will of course be more objective things such as gift handling, non-disclosure agreements, acceptable use, and a fairly wide spectrum of other things that constitute behaviors that are allowed and those that are not within our workplace. And it must be said the consequences of failing to achieve those particular expectations and standards. 

Now separation of duties is something that is extremely important throughout all of the employment cycle. And this involves separation of duties to ensure that too much authority does not get into too few hands but it's also a separation of duties from the standpoint of not combining duties that in combination would create a conflict of interest. For example, having one employee handle both accounts payable and accounts receivable. Having an employee handle incoming inventory and being the sole employee who handles all of the outbound inventory. Such combinations of duties give those employees the opportunity to cook the book, so to speak, and so in all cases, the separation of duties needs to be examined closely to ensure that we identify those risks and eliminate them. Two of the factors that go into this will be need to know and least privilege. Need to know relates to the role that the individual is in and the capability requirements or information requirements of that role or position. And least privileged describes the level of access of be granted that will fully enable the role to succeed but will be at the lowest level of exposure or capability even while it does that full enablement. 

Some positions require that job rotation take place. Part of the reason for doing job rotation is to reduce the risk of collusion between individuals. Job rotation also enhances opportunities for training multiple persons to do a particular job. One of the things about job rotation though is that it can help uncover various forms of activities that are unwanted or even illegal, dangerous, that may be taking place during a single individual's performance of whatever those duties might be. So to accompany job rotation in cases of jobs that don't break out well into multiple assignable tasks to multiple people, a mandatory vacation will be part of that particular program. Now the employee will know that this is going to be part of the expectation for that particular role. It will require that they are on furlough, it's paid time, but that during this time, duties executed by that individual will be examined, audit trails will be examined to make sure that everything is straight and narrow throughout that person's performance of that particular duty. Sadly, however, these mandatory vacations don't ever seem to turn into a four-day Caribbean cruise, but what they do turn out to be is a way of verifying that everything is as it should be in accordance with policy and procedure and that if any irregularities have been identified, they're quickly captured and they're resolved. It could be through the transaction flows, it could be through communications with outside individuals, it could be requests to process information outside normal procedures that these irregularities take place. But the employee is brought back in apprised of the results and then either allowed to go back to work rotated into a new position or if consequences are to be exacted, that they will suffer that. But all of this is known to the employee before any of this takes place, so none of this will be, "Gosh, I didn't know that that was going to happen." 

In such cases where it ends badly, we will have termination processes. Workforce termination should be clearly defined and during new employee orientation, an introduction to this process should be given so that again, employees cannot claim, "Gosh, I didn't know that." Everyone should have full disclosure on what is expected and consequences for failing to meet those expectations. Termination can take place for a variety of reasons. It can be voluntary, they've taken a new job elsewhere, could be that they've taken a new role elsewhere within the same organization, or it could be something as happy as retirement. On the less happy side, it could be for cause, it could be that they are determined to be unsuitable for that particular role, or employment in your particular organization for a variety of reasons, or it could be that changes in the economy produce layoff or furlough conditions and they're furloughed. Whatever the case is, these processes for termination need to be followed very carefully and they should be enforced consistently in all cases. Now third-party controls are going to be defined in contractuals that define the relationships and they're going to depend on the kind of vendor that we're talking about. Each of these vendor, consultant, contractor, are going to have differing depth and breadth of scope of the particular relationship. The vendor, for example, shallow and it may be very, very specific. Take for example, a copier service company. The service technician is a known person, the company is of course known bound to you by contract but it's focused entirely on coming in, periodically servicing the copiers, possibly even the large printers, but it has a specific security concern. These devices contain flash memory which hold images of everything ever processed through them. And so, the contract needs to be written aware of this kind of condition. The consultant may have a very narrowly defined area of scope but it may be very deep within that narrowly defined area. 

Consequently, the contract needs to define these as well with things like non-disclosure, non-compete, non-circumvent, and other sorts of covenants within it to ensure that the consultant is fully enabled and the employer of the consultant is fully aware of their duties and everyone is very familiar with the rules about what information will be past between the parties and how that information is to be protected. Contractor relationships can be very comprehensive, they can be long-term, and they can have a very broad sweep and great depth. Take for example the relationship that our government has with the defense contractors. Lockheed Martin for example is a very long-term highly regarded defense contractor in many different ways, in many different programs and projects. Their relationship with the government goes back decades, much sensitive information has been exchanged between them. Within the scope of a given program, they'll have access to nearly all kinds of information that may be exchanged, developed, or created through the program in which case many conditions will apply. So to sum up, the amount of security, the amount of risk management, the amount of management that needs to be exercised over these relationships should be constructed along the lines of the vendor, a shallow but possibly very specific relationship, a consultant, very narrow but very deep, and then the contractor, comprehensive but quite possibly years in length over the life of a given program or project. And our risk management processes need to reflect these various differences. 

One of the topics that's quite prevalent today is privacy. And privacy is not just about private citizens outside of their employment environment, it is about workforce members and the privacy that they have a reason to expect. Whether you're a civilian or you're employed, in either context, you have a reasonable expectation of privacy. Many of our recent laws passed, both here and abroad, have gone to great lengths to describe what that expectation encompasses. Every organization should be very plain spoken in their communication about their privacy policies and they make very clear what those are and what their limitations are so that there is good understanding and acceptance of what that policy reflects. Now waving reasonable expectation of privacy, this is not the constitutional issue as defined by the Fourth Amendment of the United States Constitution. This is privacy within the business context and in making clear what their policies are, the organization needs to be sure that the employee understands this and what the various limits and conditions will be. 

Now the OECD Guidelines which you see here are very clear. The Eight Core Principles reflect purpose specification in which the data controller, that is the entity that collects, uses, and discloses information about individuals, is very plainspoken, very straightforward, and in no way conceals what the entity uses may be for the information they're seeking to collect. They need to be equally plainspoken about limiting that use only to the purpose stated. The collection limitation is that they have surveyed the information that they need for whatever the need might be and they have determined that they're asking for the minimum necessary to meet that stated purpose. Once that data has been collected, the data controller will put in place various controls to make sure that the information is preserved against contamination and that only authorized persons can make authorized changes to it to ensure this. For all of these activities, the data controller will be held accountable based in the law that governs this relationship. As such, they will put in place security safeguards to ensure that they are doing all that is reasonable to protect the information from inappropriate access or modification. Throughout this process, the OECD Guidelines stress that the data controller must be transparent and very forthcoming and seek to engage the individuals in participating in this process of the collection, use, and disclosure of this information. 

Well that concludes this module. We're going to go on to the next module and we hope you'll join us, thank you.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.

Covered Topics