Employee Security Controls
CS5493(7493)
Contracts
• Employment contract– Accompanying job responsibility description
• Non-Disclosure Agreement• Acceptable Usage Policy• Service Level Agreements
Employee Controls
• Things to consider when hiring:– Credit check– Background check– Drug testing– Lie detector test
Employee Controls
• All of the aforementioned controls are intrusive.
• The employee or candidate must be properly informed and must agree.
• Give them an opportunity to make any disclosures.
Employee controls
• Credit check – relatively inexpensive compared to the other listed alternatives.
Employee controls
• Background check– Resume verification– Job history verification– Criminal history check– References
Employee Controls
• When conducting a job history check, one can contact former employers
• Former employers are allowed to disclose information that is not protected by law, is accurate, and truthful.
Employe Controls
• Drug testing• Lie detector testExpensive to administer, not required for all
employees.
Employee Controls
• Separation of Duties
Employee Controls
• Separation of Duties• Need-to-Know
Employee Controls
• Separation of Duties• Need-to-Know• Job Rotation
Employee Controls
• Separation of Duties• Need-to-Know• Job Rotation• Vacations
Employee Controls
• Separation of Duties• Need-to-Know• Job Rotation• Vacations• Audits/Reviews
Separation of Duties
• This prevents someone from overseeing their own work: reduces errors and fraud.
Separation of Duties
• The people writing checks to vendors cannot be the same people who make the orders and establish vendor contracts.
Need-to-Know
• Employees will be given access to the information required for them to perform their duties.
Need-to-Know
• Reduces the possibility of improper disclosure of information.
Job Rotation
• Separation of duties and need-to-know can be defeated by collusion. Job Rotation is a strategy to prevent collusion.
Job Rotation
• Makes it possible to track which users were authorized to do what and when.
• Provides redundancy in job positions.• Enhances human capitol.
Vacations
• Vacations are important for determining if your operation can function properly while someone is away.
• A dishonest employee may be hiding something and fearful of ever leaving their post.
Audits/Reviews
• Employees should be reviewed.– Usually annually.
Audits/Reviews
• Employees should be reviewed.• If an employee is not following security
controls, find out why.
Audits/Reviews
• Employees should be reviewed.• If an employee is not following security
controls, find out why.– Could be out of ignorance
Audits/Reviews
• Employees should be reviewed.• If an employee is not following security
controls, find out why.– Could be out of ignorance– Could be deliberate deception
Disclosure
• Employees need to know why Employee-Controls are necessary.
Disclosure
• Employees need to know why Employee-Controls are necessary.– For example, explain the necessity of need-to-
know
Disclosure
• Employees need to know why Employee-Controls are necessary.– Explain the necessity of need-to-know– Employees can be disgruntled if they don’t know
why they are uninformed about some issues
Exit Interviews
• Create a record of why an employee leaves.
Exit Interviews
• Make a checklist of actions – Collect physical access items: keys, keycards, etc.– Close accounts– Notify vendors, contractors, business partners,
helpdesk, etc (create a list of contacts).