Transcript Employee Security Controls

Employee Security Controls
CS5493(7493)
Contracts
• Employment contract
– Accompanying job responsibility description
• Non-Disclosure Agreement
• Acceptable Usage Policy
• Service Level Agreements
Employee Controls
• Things to consider when hiring:
– Credit check
– Background check
– Drug testing
– Lie detector test
Employee Controls
• All of the aforementioned controls are
intrusive.
• The employee or candidate must be properly
informed and must agree.
• Give them an opportunity to make any
disclosures.
Employee controls
• Credit check – relatively inexpensive
compared to the other listed alternatives.
Employee controls
• Background check
– Resume verification
– Job history verification
– Criminal history check
– References
Employee Controls
• When conducting a job history check, one can
contact former employers
• Former employers are allowed to disclose
information that is not protected by law, is
accurate, and truthful.
Employe Controls
• Drug testing
• Lie detector test
Expensive to administer, not required for all
employees.
Employee Controls
• Separation of Duties
Employee Controls
• Separation of Duties
• Need-to-Know
Employee Controls
• Separation of Duties
• Need-to-Know
• Job Rotation
Employee Controls
•
•
•
•
Separation of Duties
Need-to-Know
Job Rotation
Vacations
Employee Controls
•
•
•
•
•
Separation of Duties
Need-to-Know
Job Rotation
Vacations
Audits/Reviews
Separation of Duties
• This prevents someone from overseeing their
own work: reduces errors and fraud.
Separation of Duties
• The people writing checks to vendors cannot
be the same people who make the orders and
establish vendor contracts.
Need-to-Know
• Employees will be given access to the
information required for them to perform
their duties.
Need-to-Know
• Reduces the possibility of improper disclosure
of information.
Job Rotation
• Separation of duties and need-to-know can be
defeated by collusion. Job Rotation is a
strategy to prevent collusion.
Job Rotation
• Makes it possible to track which users were
authorized to do what and when.
• Provides redundancy in job positions.
• Enhances human capitol.
Vacations
• Vacations are important for determining if
your operation can function properly while
someone is away.
• A dishonest employee may be hiding
something and fearful of ever leaving their
post.
Audits/Reviews
• Employees should be reviewed.
– Usually annually.
Audits/Reviews
• Employees should be reviewed.
• If an employee is not following security
controls, find out why.
Audits/Reviews
• Employees should be reviewed.
• If an employee is not following security
controls, find out why.
– Could be out of ignorance
Audits/Reviews
• Employees should be reviewed.
• If an employee is not following security
controls, find out why.
– Could be out of ignorance
– Could be deliberate deception
Disclosure
• Employees need to know why EmployeeControls are necessary.
Disclosure
• Employees need to know why EmployeeControls are necessary.
– For example, explain the necessity of need-toknow
Disclosure
• Employees need to know why EmployeeControls are necessary.
– Explain the necessity of need-to-know
– Employees can be disgruntled if they don’t know
why they are uninformed about some issues
Exit Interviews
• Create a record of why an employee leaves.
Exit Interviews
• Make a checklist of actions
– Collect physical access items: keys, keycards, etc.
– Close accounts
– Notify vendors, contractors, business partners,
helpdesk, etc (create a list of contacts).