Users can pose the biggest security risk to an organization. Background checks should be performed, contractors who needs to be securely managed, and the users ought to be properly trained and made aware of the security risks, as we will discuss next.
Security Awareness and Training
Security awareness and training are often confused. Awareness changes user behavior, while training provides a skill set.
Reminding users to never share their account or write their passwords down in an example of the awareness.
It is assumed that some of the users are doing the wrong thing, and which awareness is designed to change that behavior.
Security training teaches a user how to do something. Examples which include the training new help desk and the personnel to open, modify, and close the services tickets; training network engineers to configure the router, or the training a security administrator to create a new account.
Organizations should conduct a thorough background check before hiring an individual. This includes checks of criminal records and verification of all experience, education, and certifications.
Lying or exaggeration about the education, certifications, and the related credentials is one of the most common examples of the dishonesty in the regards to the hiring process.
Termination should result in the immediate revocation of all the employee access. Beyond the account revocation, termination should be a fair process.
There are ethical and of course legal reasons for the employing a fair termination, but there is also an additional information security advantage.
An organization’s worst enemy can be a disgruntled former employee, who, even without legitimate account access knows where the weak spots are. This is for sure true for the IT Personnel.
Vendor, Consultant, and Contractor Security
Vendors, consultants, and the contractors can introduce risks to an organization. They are not the direct employees, and sometimes have the access to systems at multiple organizations.
If allowed to, they may place an organization’s sensitive data on devices not controlled (or security) by the organization.
Third-party personnel with access to sensitive data must be trained and made aware of risks, just as employees are.
Background checks may also be required, depending on the level of access required.
Information security policies, procedures, and other guidance should apply as well. Additional policies regarding ownership of data and intellectual property should be developed.
Clear rules dictating where and when a third party may access or store data must be developed.
Outsourcing and Offshoring
Outsourcing is the use of a third party to provide information technology (IT) support services that were previously preformed in-house. Offshoring is the outsourcing to another country.
Both can lower TCO by providing IT services at a reduced cost. They may also enhance the IT resources available to a company (especially a small company), which can improve confidentiality, integrity, and availability of the data.
Offshoring can raise privacy and regulatory issues. For Example, for a US company that offshore data to Australia, there is no HIPAA, the primary regulation covering health care data in the United States in Australia.
There is no SOX (Sarbanes-Oxley, protecting publicly traded data in the United States), no Gramm-Leach-Bliley Act (GLBA, which protects financial information in the United States), etc.
Always consult with legal staff before offshoring data. Contracts must ensure that data is protected regardless of where it is located.