The insider threat is often discussed among the top information security risks facing organizations. In fact, for the first time in seven years of doing the study, the 2012 Ponemon Data Loss survey listed internal mistakes by insiders is the number one cause of data breaches. What is an insider threat?
This term is loosely used to describe current or former employees doing damage to the organization. These can be malicious actions, such as stealing confidential information, or accidental, such as sending confidential information in an email attachment. Within the world of information security policies, risks involved personnel are addressed with the Personnel Security Policy.
Challenges of Personnel Security
Personnel security is an extremely challenging area of security. In order to function, an organization must allow access to sensitive data. But in an instant, a trusted employee can become an attacker. A recent court ruling involving stolen corporate data by a former employee is a perfect illustration.
In short, the court ruled that since the employee had legitimate access to the information at the time it was taken, they could not be prosecuted under state law or federal anti-hacking laws. It was clear that the employee violated written security policy. But it wasn’t clear that this constituted a criminal act under current laws.
On the surface, this would seem like a death-blow to the entire notion of having information security policies. But the situation is complicated, because not all policy violations are criminal acts. For example, one piece of information that was not revealed in the court case could have been critical – did the employee sign a non-disclosure agreement (NDA)? If stealing confidential information does not constitute “hacking” in the eyes of the law, would violation of an NDA made any difference? In any case, the entire episode is a good chance to look at the entire area of personnel security. While firewalls and intrusion detection and malware get much of the spending, the cases always come down to people.
The Objectives Personnel Security
Before diving into the details, what are the high-level objectives of a personnel security policy? Generally, there are two. The first is to protect sensitive information by securely managing the “life-cycle” of employment. Generally, the life-cycle has three phases – per-employment, during employment, and post-employment. (For example, the ISO 27002 Standard uses this breakdown.) But another important objective of a personnel security policy is to establish key governance points regarding information security. In short, the organization wants to make sure that the rest of their security policies are enforceable. This means taking proper steps to educate employees on both general information security requirements as well on organization specifics such as how to report an information security incident. This second set of governance controls are most often overlooked in weak personnel security policies.
Core Elements of Personnel Security
So what are key areas that should be covered in a personnel security policy to best protect the organization? By analyzing a combination of best practices, real incidents and regulatory requirements, several key areas jump out as critical. While there are a lot of elements to personnel security, we choose to refer to these as the “Six Pillars”.
Pillar 1: Screening
Screening is the process of verifying a prospective employee’s credentials and suitability for the job. Most often this is in the form of a background check. The general idea is to make sure that former criminals are not hired or placed in positions of trust within the organization. But employee screening can take on many different levels, depending on the nature of the organization and the position being screened. Other example security policies may require a credit check or emotional stability test, or a check with references at previous employers. Many insiders who commit crime have a history of human resources issues at current a previous employers.
Pillar 2: Contracts
This pillar is less obvious, but just as important when it comes to governance and the ability to take action against employees who violate security policies and also commit crimes. Controls related to contracts include employment agreements, non-compete agreements, non-disclosure agreements and intellectual property agreements. Contracts are designed to protection intellectual properly from being stolen or lost.
Pillar 3: Security Policy Acknowledgement
Every employee or contractor with access to information must be made aware of the information security policies that apply to them. In most organizations, this includes a high-level “Code of Conduct” as well as acceptable use policies such as Internet Acceptable Use. But sometimes ignored is this key governance piece: Making certain that employees formerly acknowledge that they have read and understood the written policies. While this control is rarely called out within security regulations or frameworks, it is critical for policy enforcement. Many court cases have gone the way of employees who were fired for policy violations, but claimed ignorance of the policies. Without a written acknowledgement, few organizations can defend against the claim of being unaware of policies.
Pillar 4: Security Education
One of the most often ignored aspect of personnel security is awareness and education. Employees must be trained on basic information security principles so they can recognize common threats such as phishing attacks. Study after study has demonstrated that human error is at the root cause of a majority of data breaches. In addition to basic security education, employees should also be trained on the information security policies of the organization. (See Pillar 3)
Pillar 5: Monitoring
Although employees are by definition trusted by the organization, their behavior still must be monitored at some level. The type and level of monitoring depends on many factors, including the sensitivity of the data being used, the overall security posture of the organization, or even government requirements. At a minimum, the organization should monitor all security-related user activity on systems. Many organizations choose to monitor internet and web traffic. Whatever the security posture on monitoring, it is best to inform the employees on how they are being monitored. The disclaimer of “no expectation of privacy” generally applies when using corporate resources. But if that policy is not communicated to employees, legal trouble is possible in any attempts to use the the information for sanctions.
Pillar 6: Termination Procedures
The final essential component of personnel security is having proper termination procedures in place and enforced. Once an employee is no longer employed (or has indicated that they are going to leave), both logical and physical access must be terminated. In addition, the exit process usually involves the return of organizational property such as laptops or access badges. There is a reason that termination procedures are required in nearly every information security regulatory framework. In many cases former employees have been able to access their employer’s network – either via their own login ID or a shared ID that was created – and steal data or plant malicious software.
For those interested in more details regarding insiders threats, the Insider Threat Center at Carnegie-Mellon has publish numerous research papers that are freely available. At Information Shield, we have incorporated most of these results into our sample security policies within the PolicyShield Security Policy Subscription. For those who need to develop Personnel Security Policies, Information Security Policies Made Easy contains over 80 specific sample security policies just on personnel security alone.