Module 4 - Procedural and People Security Controls
The course is part of this learning path
This course looks at ways in which the threats and vulnerabilities associated with the people who use IT systems can be mitigated. It highlights the important people security implications and how a security culture can be developed, then it investigates how user access controls can be effectively integrated with IT systems. Finally, it looks at the role of security training and awareness.
The objectives of this course are to provide you with and understanding of:
- The people threats facing organizations and the importance of a security culture
- Practical people controls, including employment contracts, service contracts, codes of conduct and acceptable use policies
- Access controls, including authentication and authorization, passwords, tokens and biometrics
- The importance of data ownership, privacy; access points, identification and authentication mechanisms, and information classification
- How organizations can raise security awareness and the different approaches to deliver security-related training
This course is ideal for members of information security management teams, IT managers, security and systems managers, information asset owners and employees with legal compliance responsibilities. It acts as a foundation for more advanced managerial or technical qualifications.
There are no specific pre-requisites to study this course, however, a basic knowledge of IT, an understanding of the general principles of information technology security, and awareness of the issues involved with security control activity would be advantageous.
We welcome all feedback and suggestions - please contact us at firstname.lastname@example.org if you are unsure about where to start or if would like help getting started.
Welcome to this video on people security.
A system is only secure if the people using it follow the correct procedures, so people play a critical role in information assurance.
This video looks at some of the people threats facing organizations and the importance of a security culture.
It then investigates some practical people controls, like employment contracts, service contracts, codes of conduct, acceptable use policies and tactical access controls.
Let’s start by looking at the inherent threat posed by in individual’s online presence.
Most people are online at home and at work. Not only does that mean their personal and sensitive information is at risk, but it also means that confidential organization information could be at risk if they don’t remain vigilant and follow the correct procedures.
Social engineering describes how hackers use deception to manipulate individuals into divulging confidential or personal information which they’ll use for fraudulent purposes.
They might adopt what’s known as a pretext, which is pretending to be somebody they’re not to convince the end-user to give them vital clues which enable them to gain access to the system they’re targeting.
In order to counter this threat, the information security officer needs to publicise corporate policies that encourage a culture of security, and senior management support is essential to reinforce this. A ‘security mindset’ needs to be engendered in every individual who works in and for the organization.
A strong security culture involves every member of staff actively participating in making the organization as secure as it can be.
This means that all staff understand the need for security and are aware of the threats and vulnerabilities they could face.
Security awareness training is one of the primary methods of communicating the right security behaviours.
Typically, these include:
· How passwords should be managed:
· Acceptable use policies for data and equipment;
· How sensitive information should be treated;
· How to keep computer equipment safe; and
· The escalation procedures if security issues arise.
This training is used as part of an induction programme for new starters and is often repeated annually for existing staff members, although the frequency is determined by the levels of security required within the corporate security policy.
Another method of underpinning a security culture is through the individual’s contract of employment. This creates a legal and binding relationship between the employee and employer and ensures that each party is clear about the obligations they have to each other.
Typically, the contract of employment will include:
· Behaviour and conduct expectations;
· Intellectual property clauses to ensure ideas or sensitive company information remain within the organization;
· Aspects of acceptable use for systems and knowledge; and
· The duty-of-care to other members of staff.
The contract will be signed by both parties to confirm understanding and agreement to the terms.
Aspects of the delivery are commonly outsourced to third-party organizations – either through a single contractor providing a specialist service or a fully outsourced capability, for example to deliver penetration testing or auditing services.
Services might also be provided as part of a consortium of partners who provide a single service under a framework agreement. Many Government contracts work this way.
In each situation, the supplier must comply with the standards and requirements of the contracting organization. For example, if an organization is ISO 27001 compliant, the contracting supplier might be required to adhere to the same guidelines.
Security requirements will be included in the supplier’s contract, clearly stating that taking on the work requires compliance with all security standards including the need to be audited. Active management through regular audit checks – perhaps every 1-2 years – can help to reduce the risk to the organization.
The contract should include a Security Aspects Letter which lays out in plain English what security measures and protective markings apply to the information assets the third-party will be handling. It should also detail penalty clauses and damages in the event of a security breach.
Both parties should sign this contract which will remain binding and legal at least for the duration of service supply.
Codes of Conduct relate to the behavioural responsibilities of staff members, contractors and sub-contractors.
They typically incorporate aspects of behaviour relating to maintaining the confidentiality, integrity, and availability of company systems or information.
This might be things like:
· Not openly discussing customer contact information outside the workplace;
· Personal safety and integrity issues, including illegal drug use or excessive consumption of alcohol; and
· Activities that might lead to an individual becoming a target for blackmail or coercion.
Other areas typically included in a Code of Conduct might relate to corporate hospitality, gifts and improper customer relationships which could lead to allegations of bribery and corruption.
These types of allegations are damaging because they relate to the CIA triad elements and reputation of the organization.
Acceptable Use Policies are used to support Codes of Conduct.
They define how the business expects individuals to use corporate resources, such as the internet and email, and answer questions like:
· When can staff members access the internet for private matters?
· Can individuals send personal email from their corporate account?
The areas included in Acceptable Use Policies should be reviewed and agreed with team leaders, HR and senior managers before they’re enforced.
It’s important to balance the need to trust individuals whilst reinforcing the security requirement. For example, it may be better to trust staff with unlimited access to the internet, even if they use it for personal reasons, rather than to block access to certain sites, which may only encourage staff to search for, and use, alternatives.
The Acceptable Use Policy should include how the organization will respond to a breach of trust, or an attempt to bypass the controls in a policy. A measured and appropriate response is essential, but it must act as a deterrent to individuals who might consider breaking the rules.
Individuals should acknowledge they’ve read and understood the Acceptable Use Policy.
As well as the employment contract, codes of conduct and acceptable use policies, there are a number of people-based security controls which can be used to minimise risk.
· Providing access to data and systems within the principle of ‘least privilege’ and ‘need to know’ (which is ‘least privilege’ applied to information access). Staff should be given adequate privileges to do their jobs but no more;
· Separation of duties; no individual should be able to carry out all the tasks which might be used to commit a fraud. For example, the person who places an order should not be the one who authorises payment.
Dual control is an extension of this which requires two individuals to carry out a single critical task, such as requiring two signatures on cheques over a certain value.
· Mandatory vacations which can be used to audit staff in sensitive posts while they’re away from work; and
· Job Rotation to prevent individuals from becoming too entrenched in a post and ensure that expertise is spread among staff rather than being concentrated in a few individuals.
That’s the end of this video on people security.
Fred is a trainer and consultant specializing in cyber security. His educational background is in physics, having a BSc and a couple of master’s degrees, one in astrophysics and the other in nuclear and particle physics. However, most of his professional life has been spent in IT, covering a broad range of activities including system management, programming (originally in C but more recently Python, Ruby et al), database design and management as well as networking. From networking it was a natural progression to IT security and cyber security more generally. As well as having many professional credentials reflecting the breadth of his experience (including CASP, CISM and CCISO), he is a Certified Ethical Hacker and a GCHQ Certified Trainer for a number of cybersecurity courses, including CISMP, CISSP and GDPR Practitioner.