Management: Personnel: How are personnel issues with information protection managed?
Options:
Option 1: HR department handles or is involved in all substantial personnel issues.Option 2: Life cycles associated with personnel are tracked and used to make decisions about behaviors and authorizations.
Option 3: Awareness levels are tracked and, when inadequate to the task, upgraded before continued use.
Option 4: Knowledge as shown by qualifications and suitability for tasks is tracked and used to determine suitability for jobs.
Option 5: Trustworthiness is determined to map personnel with risk in analyzing protection issues.
Option 6: History is used to analyze trustworthiness and suitability for jobs and clearances.
Option 7: Special capabilities or talents are tracked and used to assist in task assignments.
Option 8: Intent as expressed by individuals is used to assess trustworthiness and suitability for tasks and jobs.
Option 9: Modus operandi is used as an indicator of future behavior.
Option 10: Changes of employment status, job title, etc. are integrated into roles and authorization decisions.
Option 11: Clearances and need to know are tracked for personnel dealing with high consequence content and systems.
Option 12: Identity management (IdM) is integrated with personnel systems to assure that records and mechanisms are authoritative and timely.
Basis:
HR department handles or is involved in all substantial personnel issues.Personnel security issues focus on people involved in protection process and verification that they meet the necessary and appropriate standards and qualifications required for their duties. As such, it is the responsibility of HR to make certain that all appropriate functions are done and within the confines of applicable laws.
Life cycles associated with personnel are tracked and used to make decisions about behaviors and authorizations.
Life cycles associated with personnel generally involve
conception, pregnancy, birth, education, marriage, divorce, training,
hiring, promotion, demotion, suspension, vacation, illnesses, leaves,
job changes, moves, resignation, termination, retirement, death, and
legacy issues. All of these interact with information protection
issues in one way or another.
Awareness levels are tracked and, when inadequate to the task, upgraded before continued use.
Awareness levels in defined areas should be tracked to assure that
all personnel have appropriate awareness of key issues associated with
their job functions and that those who are not properly qualified and
aware are not permitted to do things that require that level of
awareness. At a minimum, security awareness programs have to touch
each individual in an enterprise every 6 months to be effective at
keeping levels high enough for effect.
Knowledge as shown by qualifications and suitability for tasks is tracked and used to determine suitability for jobs.
Knowledge associated with personnel helps to determine
qualifications and suitability for tasks and jobs. Knowledge tends to
be tracked to degrees and related programs, job history, and defined
areas of expertise within the enterprise. Advanced degree programs
tend to be reimbursed by the company if job-related and these are also
tracked in the enterprise.
Trustworthiness is determined to map personnel with risk in analyzing protection issues.
Trustworthiness is hard to assess, but trust is often granted
based on limited experience. Many of the least trustworthy people are
the most trusted because professional confidence operators are very
skilled at displaying the things that generate trust even though it is
not deserved. Many companies place excessive trust in insiders and
suffer the consequences. A systematic approach to evaluation of trust,
including time in position and life-related characteristics is more
effective at predicting trust-related behavior than non-measurable
qualities associated with personal friendships and liking.
History is used to analyze trustworthiness and suitability for jobs and clearances.
History is often cited as the best predictor of future
performance. Background checks and detailed information from personnel
records and references tends to produce historical information about
personnel that helps make reasonable and prudent decisions in this
space. Missing history information on individuals in personnel records
is a strong indicator of potential abuses of the system and should
lead to detailed investigations.
Special capabilities or talents are tracked and used to assist in task assignments.
Capabilities associated with individuals help lead to their
assignment to suitable tasks. Specific individuals have special
talents or training that produces capabilities that are unusual or
hard to train or find. These should be identified for specific
information protection tasking.
Intent as expressed by individuals is used to assess trustworthiness and suitability for tasks and jobs.
Intents are more difficult to understand than
capabilities. However, indicated intents are often provided in
letters, writings, and similar materials and should generally be
explored as indicative of likely behaviors. Group memberships and
similar factors tend to indicate intent, particularly in groups with
widely declared intents such as animal rights groups, ecological
groups, and so forth.
Modus operandi is used as an indicator of future behavior.
Modus operandi is typically associated with criminal behavior,
but all people display methods of operation that tend to be reproduced
over time. This is useful as an indicator for future tracking and
attribution as well as for understanding how likely interactions will
take place and be received.
Changes of employment status, job title, etc. are integrated into roles and authorization decisions.
Roles are typically associated with groups of individuals and
individuals may be associated with many roles, depending on their
tasking within the enterprise. These roles are then translated into
authorizations associated with functions on systems. People are moved
from role to role as they move from job to job, with the roles
refilled for operational continuity. Changes of employment status, job
title, responsibilities, and so forth are all issues that involve
information protection functions such as access to systems. Change
tracking for personnel and integration into accounts in information
systems, access passes, and so forth are critical to effective
protection.
Clearances and need to know are tracked for personnel dealing with high consequence content and systems.
Clearances are generally associated with individuals. These are
generated through formal processes, screened by authorized screeners,
and tracked and maintained by personnel systems. Clearances reflect
levels of trust relative to applicable standards. Need to know
information relates to specific work areas and projects. This too is
tracked by personnel-related records and must be protected to guard
projects against systematic exploitation of associated individuals.
Identity management (IdM) is integrated with personnel systems
to assure that records and mechanisms are authoritative and
timely.
Identity management (IdM) interfaces provide for interactions
between the identity management system and personnel, systems, and
others tasked with making decisions about individual access. They are
typically integrated with personnel systems to assure that records are
up to date with authoritative sources.