The personnel side of IT security is an important part of your overall security policies. In this video, you’ll learn about mandatory vacations, job rotation, separation of duty, and more.
<< Previous Video: Agreement Types Next: Role-based Awareness Training >>
In some organizations and for some job roles, there may be the business requirement of a mandatory vacation, where someone is required to go on vacation a certain number of times or a certain amount of time during the year. This allows the organization to rotate other people through this job. And if there’s any type of fraud or anything illegal happening with that position, this would be a great opportunity to find that while a person is gone. This may not be the most common personnel policy, but it’s one in a high-security environment that can be very good at finding fraud.
A similar type of business policy is one that rotates jobs, where people continually move between different responsibilities. No single person would be in control of a particular set of job responsibilities for any extended period of time. Another set of business policies might be a separation of duties. One type of separation of duty is split knowledge. This is the policy where no single person has all of the details needed to perform a particular function. For example, one person may have half of a safe combination, and the other person may know the other half of the combination.
This is very similar to dual control. With dual control, both people must be present to be able to perform that particular function. Instead of just telling someone what your half of the combination is, you have to show up with the key, and both keys have to be used at the same time to open the safe.
Another popular and useful security policy is a clean desk policy. This means that when you leave your desk, nothing is on top of your desk– there’s no paperwork, your computer is not turned on, no one can see any data once you leave that desk. For environments the deal with sensitive data that are highly secure, this is a business policy that can be very effective.
Many organizations will perform a pre-employment screening or a background check. This gives the organization an opportunity to verify what the applicant has put on their application. Many background checks can find criminal history information, can discover where workers have compensation claims pending, and it might be able to provide a little more detail than what is written on an application. The legalities on exactly what someone can do with a background check vary by country, so make sure you follow the legal requirements for your particular geography.
An adverse action is something that denies someone an employment, and it’s usually based on this background check. Whenever an adverse action has been identified, it’s something that often needs to be documented and provided to the applicant. This is also something organizations can commonly do with existing employees, as well. And again, the legal requirements will vary depending on your geography.
Every organization has information that is company confidential. In order to maintain that confidentiality, an organization may require employees and third parties to sign a Non-Disclosure Agreement, or an NDA. The non-disclosure agreement is a legal contract that identifies what information is confidential, and it limits the use and dissemination of that information.
Another important security procedure is done during the onboarding process when new employees join the organization. There is usually an induction or a training process so that people can be trained on exactly what the proper IT security is for their particular role. There is also continuing education for these. Initial training isn’t enough, especially for all of the things that happen during the onboarding process– and the security environment is constantly changing, as well– so you need some way to train everybody on what the latest IT security policies are.
An Acceptable Use Policy, or an AUP, is a document that identifies exactly what is appropriate and what is not appropriate activity on an organization’s network. This is something that might also be documented in an employee’s rules of behavior. The AUP can cover a wide range of technologies. It might cover your telephones, your computers, your mobile devices, your tablets, and anything else dealing with information technology. The acceptable use policy is generally signed off by anyone who is using the technology in the organization. So if someone is dismissed for violating the acceptable use policy, there’s documented information on what was understood beforehand and exactly what particular rules were broken.
One common tool used by human resources is the exit interview. If an employee is leaving the organization, this is an opportunity to ask a few questions before they leave. For example, you could ask someone what their reasons were for leaving and what the things were that they enjoyed the most or least about their time employed with the organization. This is usually a very formal process. HR will begin to gather as many statistics as possible. And this allows them to also track any changes over time.