Topic 8 Human Factors

Outline
z Importance and broadness of the area z Touch on a few key topics:
security awareness, training, and education organizational security policy personnel security E-mail and Internet use policies

(C) Davar Pishva, 2013

Security and Information System Management

Security Awareness, Training, and Education It is a prominent topic, considered in various standards It provides benefits in:
z improving employee behavior, z increasing employee accountability, z mitigating liability for employee behavior, and z complying with regulations and contractual obligations.

(C) Davar Pishva, 2013

Security and Information System Management

Learning Continuum

(C) Davar Pishva, 2013

Security and Information System Management

Awareness
seeks to inform and focus an employee's attention on security issues such as
z threats, vulnerabilities, impacts, responsibility

must be tailored to organizations needs program must promote security using a variety of means
z events, promo materials, briefings, policy doc

should have an employee security policy document

(C) Davar Pishva, 2013

Security and Information System Management

Training
teaches what people should do and how they do it to securely perform IS tasks encompasses a spectrum covering:
z general users
good computer security practices

z programmers, developers, maintainers

security mindset, secure code development

z managers
tradeoffs involving security risks, costs, benefits

z executives
risk management goals, measurement, leadership
(C) Davar Pishva, 2013

Security and Information System Management

Education
the most in depth program in security targeted at security professionals whose jobs require expertise in security more properly fits into the category of employee career development programs often provided by outside sources
z college courses z specialized training programs

(C) Davar Pishva, 2013

Security and Information System Management

Organizational Security Policy

formal statement of rules by which people given access to organization's technology and information assets must abide also used in other contexts
z may refer to specific security rules for specific systems z focused on technical matters rather than human factors

more
(C) Davar Pishva, 2013

Security and Information System Management

Organizational Security Policy (cont.)

need written security policy document need to define acceptable behavior, expected practices, and responsibilities
z makes clear what is protected and why z articulates security procedures / controls z states responsibility for protection z provides basis to resolve conflicts

must reflect executive security decisions

z protect info, comply with law, meet org goals
(C) Davar Pishva, 2013

Security and Information System Management

Security Policy Lifecycle

(C) Davar Pishva, 2013

Security and Information System Management

Policy Document Responsibility

security policy needs broad support especially from top management should be developed by a team including:
z site security administrator, z IT technical staff, z user groups administrators, z security incident response team, z user groups representatives, z responsible management, z legal counsel

(C) Davar Pishva, 2013

Security and Information System Management

10

Document Content
needs to cover a number of topics, or subject areas, and provide specific information to the reader
z z z z z z z z z z z z What is the reason for the policy? Who developed the policy? Who approved the policy? Whose authority sustains the policy? Which laws / regulations is it based on? Who will enforce the policy? How will the policy be enforced? Whom does the policy affect? What information assets must be protected? What are users actually required to do? How should security breaches be reported? What is the effective date / expiration date of it?

(C) Davar Pishva, 2013

Security and Information System Management

11

Security Policy Topics

are broad and contain multitude of details
z principles z organizational reporting structure z physical security z hiring, management, and firing z data protection z communications security z hardware z software z operating systems
more
(C) Davar Pishva, 2013

Security and Information System Management

12

Security Policy Topics (cont.)

z technical support z privacy z access z accountability z authentication z availability z maintenance z violations reporting z business continuity z supporting information

(C) Davar Pishva, 2013

Security and Information System Management

13

Resources
ISO 17799 (Code of Practice for Information Security Management)
z popular international standard z has a comprehensive set of controls z a convenient framework for policy authors

COBIT (Control Objectives for Information and Related Technology)

z business-oriented set of standards z includes IT security and control practices

Standard of Good Practice for Information Security Other organizations, e.g. CERT, CIO Council
(C) Davar Pishva, 2013

Security and Information System Management

14

Personnel Security
hiring, training, monitoring behavior, and handling departure employees security violations occur: threats include:
z by forgetting security considerations, or z knowingly violating controls or procedures

z gaining unauthorized access, z altering data, z deleting production and back up data, z crashing systems, z destroying systems, z misusing systems , z holding data hostage, z stealing strategic or customer data for corporate espionage or fraud schemes

(C) Davar Pishva, 2013

Security and Information System Management

15

Security in Hiring Process

Objective:
z to ensure that employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities

need appropriate background checks, screening, and employment agreements

(C) Davar Pishva, 2013

Security and Information System Management

16

Background Checks & Screening

Issues:
z inflated resumes z reticence of former employers to give good or bad references due to fear of lawsuits

Employers do need to make significant effort to do background checks / screening

z get detailed employment / education history z reasonable checks on accuracy of details z have experienced staff members interview

for some sensitive positions, additional intensive investigation is warranted

(C) Davar Pishva, 2013

Security and Information System Management

17

Employment Agreements
employees should agree to and sign the terms and conditions of their employment contract, which should include:
z information on their and the organizations security responsibilities z confidentiality and non-disclosure agreement z agreement to abide by organization's security policy

(C) Davar Pishva, 2013

Security and Information System Management

18

During Employment
current employee security objectives:
z ensure employees, contractors, third party users are aware of info security threats & concerns z know their responsibilities and liabilities z are equipped to support organizational security policy in their work, and reduce human error risks

need security policy and training security principles:

z least privilege z separation of duties z limited reliance on key personnel
(C) Davar Pishva, 2013

Security and Information System Management

19

Termination of Employment
Termination Security Objectives:
z ensure employees, contractors, third party users exit organization or change employment in an orderly manner z that the return of all equipment and the removal of all access rights are completed

Critical Actions:
z remove name from authorized access list z inform guards that general access not allowed z remove personal access codes, change lock combinations, reprogram access card systems, etc z recover all assets

(C) Davar Pishva, 2013

Security and Information System Management

20

Email & Internet Use Policies

E-mail & Internet access for employees is common in office and some factories Many companies have e-mail and Internet use policies in organization's security policy
z due to concerns regarding
work time lost computer / communication resources consumed risk of importing malware possibility of harm, harassment, bad conduct

(C) Davar Pishva, 2013

Security and Information System Management

21

Suggested Policies
Some suggested policies on company e-mail and Internet access include:
z business use only z policy scope z content ownership z privacy z standard of conduct z reasonable personal use z unlawful activity prohibited z security policy z company policy z company rights z disciplinary action

(C) Davar Pishva, 2013

Security and Information System Management

22

Example Policy

(C) Davar Pishva, 2013

Security and Information System Management

23

Topic 8 Human Factors

Summary
z Introduced some important topics relating to
human factors security awareness, training & education organizational security policy personnel security E-mail and Internet Use Policies

(C) Davar Pishva, 2013

Security and Information System Management

24