Personnel Security (PES)
It is an established fact that more than 70% of security incidents are attributed to internal threats. The impact of an internal security threat is immense; it provides easy options to jeopardize security of otherwise impregnable system. Human factor probably is the single greatest source of risk. Employees by virtue of their roles, get access to extremely sensitive and confidential information during their tenure of employment. The quantum and complexity of data — that employees are handling — are increasing multifold. The sensitive nature and value of data that organizations are processing demands a greater emphasis on security of human resources. DSCI believes that Personnel Security (PES) plays a crucial role in the overall security preparedness of an organization.
New employees get immediate access to sensitive data; during their tenure they may be exposed to critical data as an owner, custodian and user; until the time of their exit they might hold key customer data, attain mastery in the organization’s trade secrets, customer personal information, IPRs etc. The human factor, therefore, poses greater risk to the organizations and their customers’ data. This concern is increasingly reflected in various compliance regulations, specifying personnel security measures like background screening, confidentiality agreement with employees and monitoring of employee behaviour. The evolution of HR practices that address information security needs of an organization led to the establishment of Personnel Security (PES) as an important domain of organizations’ security initiatives. DSF specifically focuses on PES as an important means towards achieving the end goal of data security.
- Prepare a catalogue of all HR processes — pre-employment, during the course of employment, employee exit and post exit elements — where security considerations are critically required
- Identify all elements of the organization’s security initiatives and mechanisms that require involvement of the HR function.
- Create an inventory of compliance requirements specific to PES and map these to the HR processes
- Create an inventory of instances that provide employees access to information resources.
- Analyze the threat perceptions and scenarios from human resources perspective that may lead to compromise of security or a data breach
- Identify security requirements for all relevant HR processes — considering the threat perceptions and compliance requirements of an organization
- Create an inventory of all security trainings and awareness elements that are mapped with resources dedicated and media used to deliver them
- Analyze how organization’s messages on security is communicated to the employees and all stakeholders involved.
- Ensure that a significant level of resources and efforts are dedicated to PES function and activities
- Develop a strategic roadmap for personnel security using options such as use of collaboration platforms for employee awareness and participation, automation of policy enforcement and breach notification, adoption of techniques for integration with other security mechanisms
- Ensure that there exists a significant and visible commitment of the senior management stating importance and demonstrating their involvement for enforcing security across all levels in the organization
- Ensure that for each scenario — that may lead to leakage of data from employees during employment, in the process of exit and post employment — there exists a control mechanism to avoid data breaches
- Ensure that pre-employment HR process involves background checks and it is extended to all support functions and external service providers
- Ensure that terms and conditions of employment explicitly mention adherence to security of data through a confidentiality agreement
- Ensure that employee induction training incorporates security awareness sessions. This should be followed by routine awareness campaign during the tenure of employment
- Ensure that employees are aware of their contractual obligations and legal liabilities of their system and online behaviour
- Ensure that the HR function is involved in access granting and revocation process. This is enabled by a mechanism that integrates HR workflow with information systems and a collaboration between HR, information security and IT functions
- Establish a communication plan for conveying enterprise messages on security
- Ensure that the policies for acceptable use are established for secure usage of organization’s resources — email, internet, systems, networks, applications, files, folders and data
- Ensure that the administrative rules and procedures are established to ensure compliance with information security policies
- Ensure that a mechanism and supporting disciplinary processes are established to resolve non-compliance issues and other variances in a timely manner
- Ensure that a mechanism exists for monitoring and reporting employee behaviour as per the policy of acceptable use
- Ensure that the performance of HR security function is tracked continuously, and the performance reports are made available for compliance and senior management review
- Maturity of PEN
- Visibility over PEN functions
- Proportionality of countermeasures
- Standardization of approach & processes
- Technical directions
- Convergence of physical and logical security
- Integration & collaboration with other security initiatives, departments and functions
- Capacity & performance management of environmental security systems
- Awareness across the organization
Please allow pop-up in your internet browser to download DSF
DSCI Security Framework