Queen Essays

7

Mobile devices

Mobile devices and teleworking

Control objective A.6.2 of ISO27002 is to ensure information security when mobile or when working remotely. The protection required should, of course, be proportional to the risks identified (through a risk assessment). Many of the issues related to both mobile working and teleworking have been touched on elsewhere in this book. These include issues around infor- mation classification (Chapter 9), equipment security (Chapter 16), virus control (Chapter 18) and access control (Chapter 11). The two sub-clauses deal, respectively, with mobile computing and teleworking.

Mobile computing

Control 6.2.1 of ISO27002 says the organization should have in place a formal policy and appropriate controls to protect against the risks of work- ing with mobile computing facilities, particularly in unprotected locations. If the organization has a BYOD (‘Bring Your Own Device’) policy, this is where it would primarily occur within the ISMS.

Any organization that operates a mobile computer network – and a Blackberry or smartphone network would count – should take specific steps to protect itself. These controls may also be relevant in respect of staff accessing organizational assets from their own private mobile devices. If it also has teleworkers, this policy for mobile computers could be integrated with that for the teleworkers. The first step is to design and adopt, within the ISMS, a mobile computing policy, which must be accepted in writing by those who wish to use mobile facilities before they are allowed to. The sensi- ble organization will also ensure that users receive appropriate training before they are issued with mobile computing equipment (notebooks, smart- phones).

IT GOVERNANCE116

This policy should consolidate all the procedures discussed elsewhere in this manual in respect of mobile computing and handheld usage. It should set out clearly the requirements for physical protection, access controls, cryptography, back-ups and malware protection. It should include clear guidance on how to connect to the organizational network and how mobile tools should be used in public places. ‘Public places’ include meeting rooms outside the organization’s own secure premises and wherever notebooks and handhelds remain tempting targets for hackers and thieves, who can have as much impact on the availability of data as a particularly virulent virus. Guidance on where mobile devices may be used, and for what purposes, should also be provided, with due consideration being given to who may be able to see or hear what is being ‘processed’.

The organization will need to develop an effective method of ensuring that anti-malware protection is completely up to date on mobile computers (which are also known as ‘endpoints’, reflecting the reality that for many networks, it is the notebook and mobile devices that exist beyond the secure corporate perimeter that are the endpoint for corporate security activity). This is best done by using an automatic update service that updates all computers the moment they log on to the organizational network. It is important that the mobile user is not given any authority to override this update and is not able to proceed until the update is complete. This principle should extend to ensuring that the software is fully patched, with all service packs installed; it is not unknown for someone whose primary use of a laptop is for e-mail to avoid actually logging on to the system for months on end, with the consequence that many patches and service packs are not installed. End-point security products have emerged to deal with these specific issues.

Where remote users access organizational facilities, strong authentication should be used, which makes use of strong protocols. Consideration should be given to authenticating the machine as well as the user to provide for the situation where a notebook has been stolen and the user authentication information compromised. The situations where this will be necessary should be identified through the risk assessment.

Back-up procedures (using, for instance, web-based data back-up services) are very important; unlike the requirement that should be in place for computers on a fixed network (no data stored on the C: drive), mobile computers may have all their data stored on the C: drive. The requirement for regular individual back-ups, together with a workstation configuration that automatically backs up the ‘My Documents’ folder to the main server

MOBILE DEVICES 117

when a laptop is logged on to the network (over an appropriate connection), combined with a requirement that any physical back-up media are appro- priately protected from theft, loss or degradation (issue protective, lockable boxes), is essential.

Physical security (ensuring that unattended notebooks are locked away and/or fitted with security locks and that notebooks with sensitive informa- tion are encrypted and are never left unattended) is an equally important component of an effective mobile computing policy. Given the ridiculously high number of laptops and smartphoness that are lost, stolen or otherwise go missing every year, organizations need to develop specific reporting and recovery procedures based on a risk assessment that includes any legal or insurance issues that may be relevant to the organization. Users should be physically trained in how to do these and should demonstrate that they know how to before they are released into the world with a notebook or handheld.

The proliferation of wireless networks, wireless networking facilities and public wireless access spots has brought a new dimension to mobile comput- ing security. The fact that an individual can access a public wireless network (from, for instance, an airport lounge or a coffee shop) is both extremely convenient and potentially very dangerous. It can be more dangerous than accessing the internet through a fixed link, in that a wireless computer is broadcasting information to the wireless access point – and, therefore, all that information is available to anyone who is interested in it.

A widely deployed security standard deployed on laptop computers is still (Wired Equivalent Privacy). It does not give the privacy of a wired equivalent; it is insecure, and there are many websites that provide informa- tion on its inadequacies and how to attack WEP, to decrypt current traffic, to inject new unauthorized traffic or, ultimately, to access the laptop itself. The default configuration for laptops should be that WEP is switched off. It is just as important to secure laptops that may use public access points to access corporate networks; WPA (preferably WPA2) and VPNs should be part of the basic security configuration.

It is essential that before any laptops are issued to mobile users, the organization carry out a risk assessment, and deploy those technological controls (which themselves are evolving quickly) that are most likely to minimize the threat to the organization arising from wireless vulnerabilities.

Increasingly, mobile phones and smartphones are falling within the cate- gory of information processing devices that this section is designed to address, and they should therefore, as previously indicated, also be subject

IT GOVERNANCE118

to appropriate controls determined as the result of a risk assessment. Clearly, consideration needs to be given to the logical boundaries between organiza- tional data and the systems, software and Apps on smartphones, which takes us back to the BYOD issues identified earlier.

Teleworking

Control 6.2.2 of ISO27002 says the organization should develop policies, operational plans and procedures to authorize and control teleworking activities. Where the organization has both teleworkers and mobile workers, the two policies should be integrated. Teleworking has increasingly become an extension of mobile working, rather than being simply one or a few work- ers based outside the organizational perimeter and accessing the network from time to time. The only significant difference between the two is that teleworking involves a fixed base and fixed connection to the organizational network; more information and more extensive facilities tend to exist in the teleworking location. The location itself, usually an employee’s home, does not have anything like the physical security that might be available in the workplace and is also vulnerable to domestic thieves.

There are particular controls that should be considered for teleworkers, and these should reflect a risk assessment and be incorporated into a formal policy within the ISMS. The teleworker should be required to sign a suitably modified version of the access agreement discussed in Chapter 12. A NIST publication, Security for Telecommuting and Broadband Communications, SP 800–44, available from the NIST website (https://csrc.nist.gov (archived at https://perma.cc/Z5WL-42XB)), is designed to help system administra- tors and users tackle the information security issues around these areas, and while written for a US audience, it is of value elsewhere. There are also issues of health and safety that will need to be considered, but these are outside the scope of this book.

The risk assessment should consider specific issues in relation to remote locations. Where the organization has a substantial number of teleworkers (eg staff working from home, either permanently or infrequently but regu- larly), it might consider a standardized form of risk assessment that looks for exceptions to minimum requirements, can be carried out at a distance and depends on employee information for completion. This input should be subject to random physical checks. If the system is too complex and

MOBILE DEVICES 119

time-consuming to set up, the benefits to be gained from teleworking will be outweighed by the work it requires to set someone up.

A key issue to consider, for teleworkers, is the physical security of the site. The organization should look at the physical security of the proposed build- ing (usually a house) and also take into account the security of the surrounding area. The teleworking environment within the building should also be considered: is it a separate office or is it in a communal area? The communications requirement should be assessed; this should take into account the information classification, the underlying linking technology and the sensitivity of the system to which it links. Lastly, the threat of unau- thorized access to the facilities (including from family and friends) should also be assessed.

There are a number of controls that might be considered and that should be included in the teleworking policy. As with the mobile working policy, teleworkers should not be authorized to start activity until they are satisfac- torily trained. The controls should include provision, by the organization, of suitable and adequate equipment and appropriate furniture that make stor- age and proper usage possible. Consideration should be given to printers, files, peripheral drives and safety equipment such as anti-glare screens and wrist rests that might be available in the workplace. Full-size screens, keyboards and mice might also be appropriate.

The permitted work should be defined, including the hours of work and the classification of information that may be held at, or accessed from, the location. The organizational systems and services that the user is authorized to access should also be described. Appropriate communication equipment should be provided (internal modem, ISDN, ADSL, broadband, etc, depend- ing on communication needs, available technology and the cost–benefit analysis), and how secure remote access is ensured must also be decided. Physical security – how the equipment is to be protected against breakage and theft – is as important as the establishment of appropriate insurance cover for it (it should not be left to the employee to organize cover under a household policy, as this will usually not be applicable). There should be rules about what access families and friends can have to the facilities and to the equipment. Critically, these must take into account any other devices that may run on a home network and any wireless devices or wireless networking. Appropriate steps should be taken to provide hardware and software support and maintenance; usually this includes an extended service from the organizational helpdesk staff, whose hours will need to be extended

IT GOVERNANCE120

to cover home working and whose skills will need to encompass their pecu- liar problems.

There are specific issues that will need to be addressed if the teleworker is going to use privately owned equipment. One such issue could be that of ownership of business ideas or intellectual property developed on privately owned equipment either during or after working hours, and this issue should be addressed (depending on the risk assessment) with the help of the organ- ization’s professional legal advisers; appropriate clauses, which should also cover dispute resolution, should be inserted into the teleworker’s access agreement. Other issues specific to privately owned equipment include the need for the organization to access the equipment (either to check security or as part of an investigation); software licensing agreements consequent upon the deployment to a private machine of organization-specific software; and requirements about the level of firewall and anti-malware protection. Like the IP issue, these should all be addressed in the light of a risk assess- ment and with professional advice that informs the teleworker’s access agreement.

There should be clear rules about back-up, anti-malware and continuity plans, with appropriate resources provided to make this as easy as possible. It should be borne in mind that the risks to the organization are greater in relation to individual teleworkers than in relation to individual users on the organizational network.

Teleworkers should certainly be subject to audit and monitoring just as for any other person attaching to the network, and there should also be a documented process for revoking general or specific teleworking authoriza- tions and to ensure that all equipment is returned.

8

Human resources security

Clause 5.1 of the standard requires the organization to ensure that the resources needed for the ISMS area available and clause 7.2 requires that that whoever is assigned an ISMS-related task has the necessary compe- tence. The HR aspects of two clauses can be satisfied at the same time as the relevant HR controls are implemented.

Clause 7.2, in particular, requires the organization to determine what competences are necessary for those doing work within the ISMS, and then to ensure (by assessment and evaluation) that these persons are actually competent, providing relevant education, training or experience, and to keep appropriate documentary evidence. Note that ‘persons doing work under organization’s control’ can extend to volunteers, associates and contractors as well as full-time employees.

Section 7 of ISO27002 is structured to deal with human resources secu- rity in a way that covers the three stages of employment: pre-employment, during employment and post-employment. Control 7.1 of the standard deals with pre-employment security issues. The objective of this clause is to ensure that employees and contractors are suitable for their roles, and understand their information security responsibilities. Control 7.1.1 deals with pre-employment screening, and 7.1.2 deals with contracts and roles and responsibilities in respect of the ISMS and information security within the organization. This should include both general and specific responsibilities.

Job descriptions and competency requirements

Every job description should contain: 1) a description of the competencies required for the role; and 2) a statement to the effect that every employee is required to be aware of the organization’s policy on information security

IT GOVERNANCE122

(a copy of the policy might be attached to the job description) and to take whatever actions may from time to time be required of him or her under the terms of the organization’s ISMS. In particular, the employee’s attention should be drawn to the responsibility to protect assets from unauthorized access, disclosure, modification, destruction or interference, the information classification and handling rules, the access controls (both physical and logi- cal), the incident reporting procedure, the requirements to carry out any other specific procedures and processes, the requirement personally to improve competence and skills in this area, and the fact that the employee will be held accountable for his or her acts of commission and omission. The job description should set out clearly that breach of information security controls may be considered a misdemeanour under the organization’s disci- plinary policy and that breach of them might, under specific circumstances, result in dismissal.

Specific requirements should in addition be included in the job descrip- tions of particular individuals. If the organization prefers not to identify required competencies for all roles, it will at least be necessary to do so for those involved in the ISMS. The people who should be considered for such specific requirements include:

●● the chief information and/or the chief information security officer;

●● the information security adviser;

●● members of the information security management forum;

●● IT managers;

●● network and website managers;

●● IT, website and helpdesk support staff;

●● premises security staff;

●● HR, recruitment and training staff;

●● general managers;

●● finance staff;

●● the company secretary and legal staff;

●● the business continuity and emergency response team.

People in each of these functions (and there are likely to be others – each organization is different and each organization needs to make arrangements that are appropriate to it) are likely to have a direct impact on the effective- ness of implementation of the information security policy and the ISMS.

HUMAN RESOURCES SECURITY 123

While Chapter 4 contained an initial discussion of the generic responsibili- ties that apply to particular functions, the only effective way to ensure that all information security responsibilities are captured will be for the members of the information security management forum to work through all the clauses of the standard, identifying which members of staff will be responsi- ble for implementing the clause or will be affected by it. These responsibilities should then be included in the job descriptions for these people.

This analysis should be underpinned by a review of all the roles, func- tions and employment levels of staff within the organization; this review should consider what responsibility, if any, people in given roles will have in ensuring the confidentiality, integrity and availability of information in the organization. The conclusions of this review should be compared with those generated by the analysis carried out on the basis of the clauses of the stand- ard. A statement of information security responsibility that combines both outputs should then be the final form of the amendment to the job description.

This statement of information security responsibility could either have a separate headlined and complete paragraph in the job description, in which case the member of staff affected should sign and date a copy of the amended job description, or there should be a separate statement attached to the job description and referred to in the job description, in which case both docu- ments should be signed and dated by the employee. The signed document should then be retained on the individual’s personnel file.

As part of any arrangements with third parties that involve their access to the organization’s information assets, security roles and responsibilities that match those required by the organization should be implemented by the third party and appropriately monitored by the organization.

Screening

Control 7.1.1 of ISO27002 deals with verification checks on permanent staff and contractors at the time of job applications. The organization should identify who will be responsible for carrying this out, how it will be done, how the data will be managed and who will have what authority in respect of the data and the recruitment process. Any screening and data collection activity must be carried out in accordance with the relevant local legislation. There is, in some roles, a legal requirement to carry out criminal screening, and there are clearly risks in taking unknown staff into the organization, not just in terms of fraud and confidentiality but also in terms

IT GOVERNANCE124

of integrity and availability. An inadequately experienced IT staff member could mismanage a vital server or application in such a way that informa- tion availability and integrity are compromised. This clause provides more information about the type of verification envisaged. It sets out five basic checks that should be completed:

1 Character reference checks, one personal and one business. These should, for preference, be written, but a substitute might be a signed and dated detailed note of a telephone reference given by a nominated third party to a competent (ie experienced in carrying out telephone reference checks) member of the organization’s staff.

2 A completeness and accuracy check of the employee’s curriculum vitae; this is usually carried out by means of written references supplied by previous employers or third-party organizations, and most employers will already have standard documents that are sent out to guide these third parties in replying. It is critical that the employer is methodical in ensuring that all facts are corroborated and that all forms are returned, duly completed, by previous employers. Where they are not returned within a defined time period (which should be short – perhaps 10 days at the outside), the organization should arrange to complete the form by means of a telephone interview with the previous employer.

3 Confirmation of claimed academic and professional qualifications, either by means of obtaining from the candidate copies of the certificates or other statement of qualification or through an independent CV checking service. These firms can, for a nominal sum, carry out detailed CV checks (including the checking of academic and other qualifications) that would satisfy the requirements of both point 2 above and this point 3.

4 There should be an independent identity check against a passport or similar document that shows a photograph of the employee.

5 A more detailed review of the individual’s credit history and/or criminal record may be appropriate for those who will have access to more sensitive information. These checks are available from specialist providers.

6 Finally, and this is in addition to the ISO27002 list, the individual’s entitlement to live and work in the country should be confirmed, by reference to appropriately endorsed travel or work documents.

Where a job, either on initial appointment or on promotion, involves access to information processing facilities, and particularly if it involves processing sensitive (financial or highly confidential) information, there should also be

HUMAN RESOURCES SECURITY 125

a credit check. Where individuals have considerable authority in their posi- tion, this check should be repeated regularly, either quarterly or annually as appropriate.

Normal practice would be that, while a draft contract is agreed between the prospective employee and the organization, it is not signed and the employee does not start work until the checks have been completed. Depending on the outcome of a risk assessment, some organizations might choose to allow people to start work, particularly in roles that deal with only a low level of information, subject to satisfactory references; in these circumstances, it is necessary to set a time limit within which the reference checking will be complete. The contract of employment will usually not be signed by the organization until the reference checks are completed, and if they are unsatisfactory or not completed within the allocated time, the employee is dismissed. A similar process should be carried out for tempo- rary or agency staff and contractors.

Where the staff are supplied by another organization (and this is often the case with IT staff, who are often directly employed by or contracted to the agency concerned), the contract with the third party should set out clearly its responsibility to carry out checks to a similar level. The contract also needs to set out what steps the agency has to take where answers to the screening process have been unsatisfactory or the process itself has not been completed. At the very least, these should include informing the employing organization, and in full, without delay, offering to replace any individual who has already started work, immediately and at no additional cost. The contracting organization should have adequate professional indemnity insurance, and this should be checked by obtaining and keeping on file a copy of the current insurance certificate.

While this may be relatively easy to implement for future hires, the organ- ization has to decide what to do in respect of existing staff. It will not be sufficient simply to adopt the approach that because the staff are already there, there will be no problems. Undoubtedly, the correct approach to this situation is to ensure that the organization has records for existing staff of equivalent completeness to those required for new hires. It will be important that existing staff are made aware that this process is to be carried out and that it will be done openly and quickly.

Statistically, the likelihood is that every organization will discover that one or more members of its staff have incorrect or false CVs. Each of these instances will have to be tackled, and the organization will have to judge the extent to which the individual threatens its information security; the

IT GOVERNANCE126

organization’s direct experience of the employee in the work environment may provide sufficient evidence to act on or to set aside the inaccuracy in the CV. If it is to be set aside, the employee should certainly be made aware that the inaccuracy was uncovered, and the reasons for its being set aside should be explained. This simple step can help the employee avoid such behaviours in the future.

New and/or inexperienced staff may, at certain times, have to be author- ized to have access to sensitive systems. The company should identify what level of supervision will be required in such circumstances and ensure that it has in place a procedure for providing the appropriate level of supervision. The performance of all staff in respect of information security, particularly those who have access to sensitive information, should be reviewed on a regular basis (at least annually) and appropriate steps taken to ensure that the standards set by the organization are maintained. This review can be by means of one or more questions that are incorporated into an existing annual appraisal system.

At annual reviews, and on a day-to-day basis, line managers within the organization should be aware of unusual behaviour by members of staff that may be signs of stress, personal problems or financial challenges. Apart from the human benefits of helping employees deal with these challenges, such issues have been known to affect people’s performance negatively (which may, of course, have implications for information security) and may also lead some individuals to commit crimes or fraud. Managers should be appropriately trained to spot and handle these situations within the restric- tions of the relevant legislation.

Personnel vetting levels in respect of UK government information can vary according to the classification of material that the job holder will normally need to access. If you require advice on the application of clear- ance levels in this context, the appropriate department security officer will be able to advise you.

Terms and conditions of employment

Control 7.1.2 of ISO27002 says the organization should ensure that employ- ees and contractors all agree and sign an employment contract that contains terms and conditions covering, inter alia, their and the organization’s responsibilities for information security. These terms and conditions should include a confidentiality agreement, constructed in accordance with local

HUMAN RESOURCES SECURITY 127

legal guidance, that covers information acquired prior to and during the employment and the effect of which should continue beyond the end of the employment.

This confidentiality agreement should be drafted by the organization’s lawyers. It should form an integral part of the contract of employment, so that acceptance of terms of employment automatically includes acceptance of the confidentiality agreement.

There are circumstances in which someone who is working for the organ- ization will not have signed an employment contract; he or she might, for instance, be working on a temporary or interim management basis, or even for short-term work experience. Anyone who has not signed a contract of employment should sign a confidentiality agreement of some description. This might form part of a contract for the provision of services or it might be a standalone confidentiality agreement. It should reflect the terms that are set out in the contract of employment, with any additional terms and sanctions that are recommended by the organization’s lawyers in respect of these third-party relationships.

This confidentiality agreement is designed to cover situations in which a person is exposed to confidential information in the ordinary course of the employment or project, and it sets out the organization’s requirements in these circumstances. It should cover legal responsibilities and rights in protection of copyright, intellectual property, data protection legislation, confidential and sensitive (particularly financially sensitive) information and any other relevant information issue. A different and specific non-disclosure agreement (NDA) should be signed by any organization to which confiden- tial information will be disclosed pursuant to a business transaction.

The agreement should be signed and dated, and the original returned to the organization before the individual is granted any access to confidential information. The terms of specific agreements should be reviewed when an employee’s circumstances change, particularly when he or she is due to leave the organization. It is often sensible to remind a departing employee (particu- larly someone who has had access to substantial amounts of confidential information in the course of the employment) of his or her obligations under the contract of employment and, in particular, of which obligations will survive termination of the employment. It is normal practice for compro- mise agreements to restate key confidentiality clauses.

Standard confidentiality agreements and NDAs should be reviewed after specific instances where loopholes in an existing agreement appear to have been found, and steps should be taken both to amend the document for the

IT GOVERNANCE128

future and, where the loophole is a significant one, to replace and re-sign existing confidentiality agreements and NDAs.

The contractual clauses should make clear that the employee has a responsibility for information security. This responsibility must be described. The simplest way to handle this is to attach the job description (and the separate statement of information security responsibilities, if this is the route that the organization has followed) to the contract of employment and for the contract of employment to refer explicitly to the responsibilities set out therein. As long as the information security clauses of the job description have been drafted in accordance with the guidance at the beginning of this chapter, and cover confidentiality, classification, responsibilities in regard to information received from third parties, responsibilities in respect of handling personal information, how the responsibilities are applied outside normal working hours and in any non-work (eg home) environment, and action to be taken in respect of anyone disregarding the organization’s requirements, this requirement of the standard will have been met.

The guidance for control A.7.1.2 additionally recommends that an employee’s or contractor’s responsibilities in respect of compliance with relevant legislation should also be clearly stated. This is particularly impor- tant in terms of data protection legislation, copyright laws and computer misuse legislation. The contract should contain a clause (drafted by the organization’s lawyers, and forming part of the contract of employment) that states that the individual will be personally responsible for ensuring that his or her activities in respect of information are not at any time or in any way in breach of these specific laws.

There is also the requirement to set clear rules for acceptable use of e-mail and the internet and, in the contract of employment, to set out very clearly the consequences for breaches of them. The rules do not need to be included in the contract, but the contract can refer explicitly to a section of the ISMS that contains them. E-mail usage rules are set out in detail in Chapter 20, as are acceptable internet use rules. Such policies must be consistently and firmly enforced; this sends a clear message to the organization that breaches will not be tolerated and helps build an environment of compliance.

During employment

Control 7.2.1 is a control requiring managers to ensure that everyone applies the organization’s security policies and procedures; it is, in other

HUMAN RESOURCES SECURITY 129

words, an extension of the requirements (see Chapter 3) that managers should be visibly committed to supporting the ISMS. ISO27002’s guidance on this control includes ensuring that staff (employees and contractors) are: properly briefed on their roles and responsibilities before they are granted access to sensitive information or information systems (evidenced by their (electronic) signature on their access rights document (see Chapter 12); motivated to fulfil their roles and conform to the policies (evidenced through the internal audit process); aware of information security threats, risks and vulnerabilities; and will maintain their competence.

Clauses 7.2 and 7.3 of the standard and control A.7.2 (information secu- rity awareness and training) require the organization to ensure that its employees and contractors are aware of information security threats as well as their responsibilities and liabilities, and that it has appropriately compe- tent personnel. The objective of this clause is simply to ensure that all users of the organization’s information assets, or those who are assigned respon- sibilities in the ISMS, are aware of information security threats and are competent and adequately equipped to perform the requested tasks and to support the organization’s information security policy in their work.

Control A.7.2.2 deals with information security awareness, education and training, and follows on from the previous control. All employees of the organization (including contractors) must receive appropriate awareness training and other training, as well as regular updates and communications.

Traditional training, which relies on someone delivering subject matter from the front of the classroom, is not a particularly effective method of ensuring that all of a large number of employees acquire the information, skills or knowledge that are needed. It is certainly not a method that reliably demonstrates that this requirement of the standard has been met. The best way of delivering information security staff awareness training is via e-learn- ing that is run on a recognized learning management system (LMS) or in a cloud-based environment, supported by a range of wall posters and computer screen reminders and related material.

Staff awareness e-learning can be delivered directly on to the desktop workstation of the targeted employee. It can be delivered in a way that improves uptake and retention as compared with traditional classroom training. It can be delivered through the web or rolled out quickly using the corporate network. It can be delivered to a consistent standard across an entire organization, and geography is no real barrier. The learning can be accessed by employees at a time to suit them, and because trainees are not required to go away on a training course, productivity is not affected by

IT GOVERNANCE130

e-learning. In fact, e-learning can be less expensive as a method of rolling out training than the traditional classroom approach, both because of these productivity benefits and because none of the usual costs of attending courses (whether internal or external) need to be incurred. There are a number of suppliers of e-learning products; one that can supply an appro- priate suite of ISO27001 products virtually off the shelf is likely to be less expensive as an option than an organization that makes a bespoke package specifically for its client. Information about information security e-learning and other awareness products is available from www.itgovernance.co.uk/ information-security-awareness (archived at https://perma.cc/5XRU-CYVU).

Web-based e-learning and any recognized LMS will both support network- based e-learning and provide a real audit trail that produces records of who has accepted specific policies, who has completed which e-learning modules and when they were done. The LMS can also run tests that can demonstrate the level of competence that the trainee has acquired in the subject matter. Administration of these systems can be done cost- effectively online.

E-learning is particularly cost-effective for training large numbers of staff. Small numbers of staff, particularly those who need detailed and extensive training, often involving feedback, questions and answers, coach- ing, etc, are better dealt with in the classroom. The areas of information security and the ISMS that are best dealt with through e-learning and that begin as part of the induction process are as follows:

●● all-staff briefing – ISMS awareness, known threats and the importance of information security and the ISMS, including general controls;

●● asset classification and control;

●● reporting events and responding to security incidents and malfunctions;

●● e-mail and web access awareness and rules;

●● user access control and responsibilities;

●● mobile computing and teleworking;

●● legal compliance awareness and related issues;

●● business continuity awareness and procedures.

Any staff involved in handling payment card data, and working within a cardholder data environment as defined by the PCI DSS, will also need specific training on their responsibilities in regard to that data.

HUMAN RESOURCES SECURITY 131

There are also a number of staff who will require other user-specific training. These include the staff identified at the beginning of this chapter as needing specific statements in their job descriptions and contracts of employ- ment about their information security responsibilities. These include:

●● the chief information officer and/or chief information security officer;

●● the information security adviser;

●● members of the information security management forum;

●● IT managers;

●● network managers;

●● IT and helpdesk support staff;

●● webmasters;

●● premises security staff;

●● HR, recruitment and training staff;

●● general managers;

●● finance staff;

●● the company secretary and legal staff;

●● internal management or system auditors;

●● business continuity and emergency response teams.

These staff should be exposed to the same all-staff training as discussed above. In addition, user-specific training will be required. The necessary training is best identified though an individual training needs analysis (TNA). The organization is likely to have a TNA process in place, and this should be applied to the security training issues. Those organizations that do not already have a TNA process in place have the choice between designing and implementing a process that will cover all of its training issues going forward, and implementing one that simply works for the information secu- rity training needs. Information security training is better tackled, on an ongoing basis, as part of a structured organizational approach to employee training. However, in situations where it is necessary to get security-specific training started, it may be simplest to apply a TNA process to deal specifi- cally with information security training.

Any handbook on corporate training, or a training professional, could provide appropriate support on a step that is fundamental to well-designed

IT GOVERNANCE132

training delivery. The principle underlying a TNA is that once the knowl- edge, skills and competency requirements of a particular role have been clearly established, and documented in the job description, the role holder’s own knowledge, skills and competence can be compared to the requirement and a gap analysis, or TNA, completed. The next step is to map out an indi- vidual learning path that will meet the requirements of the TNA and close the knowledge, skills and competence gap. This individual learning path will contain a mix of self-learning, instructor-led training and experience. It should identify clearly where the training is to come from and should set out the dates by when specific steps are to be taken, identified skills or competencies acquired and proof of acquisition generated. There is far more to a TNA than this, so do make use of a training professional to do the job properly.

While most organizations will have a TNA process in place for groups of staff, which identifies the gap between the individual’s skills and those of the generic role, there are individuals who, for information security purposes, must have very specific knowledge, skills and competencies that are in addi- tion to those needed by a group of employees of which they may be a part. Clause 7.2.2 expects that there will be an individual TNA, based on an individual or additional assessment of the knowledge, skills and competence required for each of these roles, for each of the people in one of the indi- vidual or specialist roles identified above. Where this is being put together for a new employee, the offer letter might make permanent employment conditional on achieving certain stages within certain time-frames.

Clause 7.2 of the standard requires the organization to maintain records of competence and this requirement is satisfied by following the recommen- dations of this chapter and attaching records of education, training, skills, experience and qualifications to the individual’s personnel file. More impor- tantly, the effectiveness of the training must be evaluated, and this requires the specific objectives for each piece of training, and the criteria for measur- ing its effectiveness, to be identified and agreed in advance. This is in line with best practice for effective staff training.

Training should clearly be delivered by competent trainers. In Chapter 4, there is an initial discussion on appropriate training for specialist informa- tion security advisers and the specialist training resources on the IBITGQ and IT Governance websites. This site should enable appropriate trainers for the various IT specialists to be identified.

Those IT staff charged with systems administration should be appropri- ately trained, by either the software supplier or by an approved training

HUMAN RESOURCES SECURITY 133

vendor, as system administrators for the software for which they are the nominated administrators. Evidence of this training should be retained on each individual’s personnel file. Those responsible for firewall, antivirus, encryption and any other security software should have appropriate train- ing certificates and should be required to keep their skills and knowledge current by attending regular refresher and update courses. These should be booked into the individual’s training calendar in advance and there should be evidence that they were attended. Certainly, in any Microsoft environ- ment there should always be a systems administrator who has a Microsoft certificate with the security extension, such as the MCSE with security.

Webmasters, in particular, need to be thoroughly trained and have their skills regularly updated. Their training needs to cover the security aspects of all the hardware and software for which they are responsible; in particular, they need to be capable of ensuring that the web servers are correctly config- ured and fully secured. It is essential that all high-risk systems are ‘hardened’ to at least the minimum standards identified by Microsoft on its technet website. Webmasters must be able to handle this.

Information security staff, company secretaries and legal staff and HR or personnel staff will also need specific legal training. There are a number of specific legal issues to do with information security (all discussed in Chapter 27), and the organization needs to know how to handle them, using stand- ard template documents wherever possible. It does not need to employ an in-house lawyer, as this can be unnecessarily expensive; external expertise can be brought in where and when necessary to deal with specific legal issues.

Staff dealing with voice systems and network hardware and software will all need specific, supplier-certified administration and security training that covers these products. The organization will need access to regular updates on information security issues relating to these products.

There is a discussion in Chapter 27 about training for internal auditors. There are two effective ways (particularly for a multi-site organization)

to make information security related material available to everyone in the organization. The first is to use a document management system that pushes information out to users across the network, usually in conjunction with ensuring that they are aware of policy and procedural issues. The second is to put it on a shared drive, an intranet or SharePoint. Either the organization already has an intranet, or SharePoint, in which case it simply needs to create an information security sector on it (or within the quality manage- ment sector), or it could consider setting up an intranet or SharePoint. This

IT GOVERNANCE134

does not need to be an expensive step and is undoubtedly the best way of dealing with information sharing. The organization’s existing webmaster or IT manager may have the skills necessary to set up SharePoint or it may be necessary to arrange appropriate training. Deployment of SharePoint does bring additional challenges of its own and, if this is the organization’s preferred course, it would be sensible to investigate how to deploy SharePoint server governance. Of course, it will also be necessary to ensure that appro- priate guidance on procedures is available to any affected staff in case of a system crash. This could mean that paper versions of the procedures should be available or, alternatively, a notebook computer with an up-to-date set of procedures that is part of the emergency response equipment.

The benefits of using SharePoint are that it can be the single repository of controlled documents; the information security manual and procedures can all be stored there and staff can be trained to access the relevant SharePoint site for anything to do with information security. It is easy to keep the controlled documentation up to date and to ensure that document control is effective. It is then easy to alert all relevant members of staff about changes to procedure simply by sending out an internal e-mail, with an appropriate link, that tells them which sections of the ISMS have been changed. Twitter might be another alternative. SharePoint can also have a section that carries information about information security developments and issues of which staff need to be aware. Someone within the organization needs to have the responsibility for keeping the site up to date, and this person obviously will need to be appropriately trained. The people who might have this role include the information security adviser, the quality manager, the marketing manager (if the marketing department has responsibility for internal communications) or the webmaster.

Disciplinary process

Control 7.2.3 of ISO27002 says the organization should deal with employee (and contractor) violations of its information security policy and procedures through a formal disciplinary process. Obviously, the organization should use its existing disciplinary process, and should be clear about this in employee contracts (as discussed earlier in this chapter) and in the ISMS itself.

Clearly, no disciplinary process can start until the existence of a breach has been verified (and control 16.1.7 deals with evidence collection), and formal commencement criteria may need to be documented that are legal in

HUMAN RESOURCES SECURITY 135

the local jurisdiction. The organization should ensure that those who are carrying out a disciplinary hearing in respect of a reported violation of an information security procedure are given the professional and technical support that they might need in order to deal fairly with the person and the issue. This might require the organization’s information security adviser to be involved in the process. On no account should inexperienced, uninformed managers attempt to deal with information security matters that are beyond their knowledge or experience, as this would be unfair to the employee concerned and potentially dangerous for the organization if the full implica- tions of an incident are not understood quickly enough. It could also, depending on the outcome of a disciplinary hearing conducted by an inex- perienced manager, potentially expose the organization to time-consuming and expensive industrial tribunal actions or trade union challenges for unfair treatment of an employee.

Termination or change of employment

The control area (A.7.3) dealing with termination or change of employment has a single control (A.7.3.1) that should work alongside A.8.1.4 (Return of assets) and A.9.2.6 (Removal or adjustment of access rights). In many organizations, experience suggests that administration of employment termination is, in information security terms, often sloppy. As a result. organizations are creating new vulnerabilities that needed to be assessed. The control objectives here are to ensure that termination of employment (or a change in job role) is carried out in an ordered, controlled and system- atic manner, with the return of all equipment and removal of all access rights.

Control 7.3.1 deals with termination responsibilities and simply says the organization should document clearly who is responsible for performing terminations and what these responsibilities are. These responsibilities should clearly include dealing with the ongoing clauses in the contract of employment. Usually, the HR department will be responsible for ensuring that all the termination aspects of an employment contract have been dealt with (usually in conjunction with the ex-employee’s line manager), and these may be standard aspects of a termination interview, which is carried out in a standard way, using a standard checklist.

The termination of contractors needs also to be dealt with. The organiza- tion simply needs to determine how it will achieve, with these personnel, the

IT GOVERNANCE136

same clarity as it seeks with ex-employees and who (agency, third-party organization) will be responsible for performing the task.

Control 8.1.4 requires all employees, third parties and contractors to return all organizational assets upon termination. As well as financial assets (eg credit cards and purchase orders) and HR or fixed assets (eg company cars), these assets fall into four categories: software, hardware, information and knowledge. Subject to local employment law, the contract of employ- ment should have a clause that allows the employer to withhold any outstanding payments of any description until all organizational assets are proven to have been returned and, after a suitable interval, to deduct from any such outstanding amounts the cost of replacing assets that have not been returned. Of course, this will tend to push the majority of resignations to the day immediately after monthly or other substantial payments have cleared the employee’s bank account, but such is life.

The first two asset types are best dealt with procedurally through a centralized recording and authorization process; there should be a record for each employee (maintained by the HR or IT department) that lists all laptops, smartphones and other hardware issued to employees. This list could be linked to the asset inventory discussed in Chapter 9, and the nomi- nated owner or custodian should clearly be the person to whom the asset is issued. There should be an acceptable use document for each asset, describ- ing what has been provided (and laptops should have a standard, documented ‘kit’; while laptops are often returned, the accessories are often missed), setting out clearly the organization’s expectations for the proper use of the asset and including (eg for mobile telephones) any expectations about how costs are to be split between employee and organization.

Information – classified documents, whether electronic or paper – should also all be returned. In fact, it is difficult to identify what documentation any individual has removed during the course of employment (unless they were limited-circulation numbered documents), and this control is, in practical terms, best met through the termination interview. One standing item on the schedule for this interview should be a question as to whether or not the employee has any classified information and, if none, a reminder that any such documents must be returned.

Knowledge – the skills and competence that a terminated employee may have – should be retained in the organization. This is, in real terms, not easy to achieve. In the case of people who have critical knowledge, there should be a risk assessment prior to starting any termination action, to identify any

HUMAN RESOURCES SECURITY 137

knowledge that must be retained and to plan methods of retaining it. Unless this step is taken, one can assume that the knowledge – particularly if it is held by someone who is being unwillingly terminated – will leave the company with the employee. It is not unknown for organizations to delay commencing termination procedures with employees until the employees have successfully transferred their knowledge.

Control 9.2.6, removal of access rights, is critical, as access rights may enable a disgruntled ex-employee to compromise a system; this section should be read in conjunction with Chapter 11. The organization needs a clear documented procedure to ensure that upon termination (and some- times – subject to risk assessment and local legislation – before termination), an employee’s (or contractor’s) access rights are also terminated. Similarly, any change in employment should also lead to a review and adjustment of existing access rights. These access rights include passwords, tokens and other authentication rights, e-mail and internet user accounts and user names, electronic files, etc and should be extended to include any identifica- tion cards, including business cards and headed notepaper. It may be necessary for ex-employee e-mail accounts to continue in use for a period after termination, and this should be covered by a standard policy that sets out how the e-mail auto-responder should be set up, who should have ownership of the account and how any incoming e-mails should be treated.

NIST issues security guidance for teleworking, establishing remote access Friedman, Sara

ProQuest document link

FULL TEXT March 20, 2020 | Sara Friedman The National Institute of Standards and Technology has issued guidance to help government agencies and private organizations enable their employees to work from home while still maintaining network security. "Organizations should carefully consider the balance between the benefits of providing remote access to additional resources and the potential impact of a compromise of those resources," said NIST in the document from the agency's Information Technology Lab on Wednesday. "To mitigate risk, organizations should ensure that any internal resources they choose to make available through remote access for telework purposes are hardened against external threats and that access to the resources is limited to the minimum necessary." The guidance comes as the Office of Management and Budget is telling federal government departments and agencies "to prioritize all resources to slow the transmission of COVID-19, while ensuring our mission-critical activities continue." NIST suggests four ways that organizations can provide their employees with remote access to their computing resources: tunneling, a portal, direct application access, or remote desktop access. Tunneling involves creating a "secure communications tunnel" between a telework client and a remote access server. This is usually done through creating a virtual private network gateway. The Cybersecurity and Infrastructure Security Agency issued guidance last week on enterprise VPNs, which provides details on technical detail considerations and mitigation tactics. A portal is a server that offers access to one or more applications through a single centralized interface. Most portal architectures today are secure sockets layer VPNs. Direct application access allows users to access individual applications directly that they have their own security in place, such as communications encryption and user authentication. When using a remote desktop access solution, a teleworker can remotely control a particular desktop computer at their office using a telework client device. The NIST guidance also lays out several security concerns that arise when using telework and remote access technologies: * Lack of security controls on telework client devices used outside of an organization's control, such as an employees' home, coffee shops and other businesses. * Unsecured networks susceptible to "eavesdropping" and "man-in the middle attacks" to intercept and modify communications. * Providing external access to internal-only resources. NIST recommends improving the security of telework and remote access solutions by planning out telework security policies and network controls assuming that external environments contain "certain hostile threats." Organizations should also create a telework policy with clear details on telework, remote access and bring your own device requirements. This NIST guidance was developed based on a publication put out by NIST in 2016, "Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security." On Thursday, NIST published a blog post outlining how individuals can improve network security for their own

workspaces. Other agencies are also taking steps to ensure that their employees and their customers have access to critical services during the COVID-19 crisis. The Cybersecurity Infrastructure and Security Agency issued guidance Thursday with a list of critical infrastructure sectors and functions that need to be considered as essential functions as state and local authorities make decisions on workplace restrictions. House Homeland Security Committee chairman Bennie Thompson has also asked President Trump to direct the Department of Homeland Security on how "to evaluate continuity of operations for critical infrastructure" in a letter Thursday. — Sara Friedman ([email protected]) DETAILS

Subject: Remote searching; Network security; Virtual private networks; National security; Computer security; Coronaviruses; COVID-19; Disease transmission; Infrastructure; Employees; Telecommuting; Government agencies

Business indexing term: Subject: Infrastructure Employees Telecommuting

Location: United States–US

Company / organization: Name: National Institute of Standards &Technology; NAICS: 541380, 541714, 926150

Publication title: Inside Cybersecurity; Arlington

Publication year: 2020

Publication date: Mar 24, 2020

Publisher: Inside Washington Publishers

Place of publication: Arlington

Country of publication: United States, Arlington

Publication subject: Computers–Computer Security

Source type: Trade Journal

Language of publication: English

Document type: News

ProQuest document ID: 2382562502

Document URL: https://www.proquest.com/trade-journals/nist-issues-security-guidance- teleworking/docview/2382562502/se-2?accountid=158986

Copyright: Copyright Inside Washington Publishers Mar 24, 2020

Database copyright  2023 ProQuest LLC. All rights reserved. Terms and Conditions Contact ProQuest

Full text availability: This publication may be subject to restrictions within certain markets, including corporations, non-profits, government institutions, and public libraries. In those cases records will be visible to users, but not full text.

Last updated: 2023-04-06

Database: ProQuest Central