Good personnel security is necessary to achieve good cybersecurity. Research personnel security breaches and concerns and outline a library of personnel security controls.
Laxity of workers in the line of duty is a significant cause of data breaches. Approximately 47% of business leaders in 2018 claimed that human error, for instance, misplacing documents and other devices by workers, resulted in a data breach at their work places (Reinicke, 2018). Companies incurred a mean of 3.6 million dollars across the world in 2017 due to data breaches (Reinicke, 2018). Something like a price tag can cost an entire business more so smaller businesses. A data breach can reduce the value of a company’s brand for any size company (Colwill, 2009). The functioning of the company can be negatively affected when data is lost (Nelson, Crawford, Richmond, Lang, Leather, Nicewander & Godes, 2009). Studies indicate that some behaviors by workers and working outside the working environment cause risks to any businesses’ security. Personnel security control policies aim to establish control measures from all aspects of human resource management from employees hiring, training, and termination to enforce compliance with information security programs.
Personnel security controls
Heads of departments with knowledge of Information technology or information security must be responsible for providing security orientiantation and education to all workers in their department, both new and existing, in concerns of how they utilize the information systems in those departments. Cybersecurity needs to be extended from the office to homes of workers working remotely for a company or external vendors they conduct business transactions with. (Reinicke, 2018). IT should be accountable for creating awareness for end-users of pending operational changes and helping them implement changes.
New Hire Orientation
All newly hired workforce should undertake orientation training to understand the security policies and procedures. These policies should contain end-user acceptable, data handling and disposal training, and other security safeguards. (CM Methods, LLC, 2020). Moreover, network training should be provided to the workforce and training on how to use systems and applications necessary for performing their job functions.
Security Awareness or Reminders
Security education should be provided continuously via sign-in banners, posters, memos, promotions, letters, and periodic meetings to instill security training concepts. Concerns relating to security should be well outlined in security awareness training and potential issues comprising the confidentiality, integrity, or availability of sensitive information (CM Methods, LLC, 2020). Every member must attend ongoing employee awareness sessions and training. Acquiring training on Adversary group operations, Recognition of sabotage-related devices, and equipment that might be used against the organization’s facility or shipment vehicle, among others, should be part of individuals’ mandate in protecting organization’s security (U.S. Department of Homeland Security, 2004). The security reminders can inform on new and ongoing security activities and initiatives.
A review should be often conducted before the employment process to ensure proper definition of security roles and responsibilities are communicated to job candidates. A background check should be conducted on all newly hired with access to classified data. Activities before the employment of a workforce member that proves a risk to an organization’s security should call for immediate termination of employment. (CM Methods, LLC, 2020). Efficient screening of personnel should be done to allow a range of implementation, from minimal procedures to more stringent procedures, based on the risk analysis results.
Vulnerability and Risk Assessment
Organizations should implement Security Vulnerability Assessment (SVA) for risk assessment and decision making on operating risks and achieving progress towards mitigation of risks associated with control system operations. (U.S. Department of Homeland Security, 2004). The SVA will identify and analyze the following: Actual and potential pioneer events that can result in control system-related incidents and the possibility and result of possible control system-related events, a structured, well-formulated means for choosing and fulfilling of risk reduction activities, and a way of tracing the working of programs to enhance the SVA process.
Access to the control system should be limited and controlled. Personnel gates to control areas should be fitted with biometrics or electronic access systems that monitor and record all entry and exit activities to these areas. These areas include Motor control centers, Rack rooms, Server rooms, Telecommunications rooms, and Control system rooms (U.S. Department of Homeland Security, 2004). Access should also be controlled through physical controls such as Sign-in logs and Photo ID badges.
Personnel security controls should begin from potential candidate screening to hiring. The employer should gather much information about the candidate’s background to ensure that all employees are fit for work (Taylor, 2013). The screening will help eliminate potential desires to sabotage the information security of a firm (Hughes, 2010). Candidate screening should be incorporated into standard personnel policies (Fennelly & Perry, 2014). The employees should fill in a personnel security questionnaire to examine the character satisfactory regarding cybersecurity awareness (Wood, 2008). The investigation should comprise the following aspects; former employer, former schools attended, public records, and credit agencies. Personnel security controls implementations should be a continuous activity and not a one-time activity because working environments keep changing. For instance, with the current pandemic, workers work remotely, which poses new cybersecurity threats.
Recommendations for enhancing Personnel security controls
- Information security policies should be concerned and address the use of consultants and vendors.
- There should be signed signatures that confirm candidates understanding of the various cybersecurity control measures and threats.
- All policy requirements should be documented and distributed to the employees for reading.
- Candidates who provide sensitive information during employee screening should undergo a thorough pre-employment screen.
In conclusion, a firm must recognize that personnel is the greatest asset and the most significant threats internal of cybersecurity. Firms should maintain a high level of security for both their employees and properties. Internal threats can come from employees’ negligence of security measures, and that is why training and awareness cannot be ignored. There no cybersecurity program can work if employees are not well trained, motivated, and made aware. Firms must document personnel security control measures to protect their information and ensure employees have read and signed against them.
– Science Assignment Help
– Science Homework Help
– Natural Sciences Writing Services
– Neuroscience Writing Services
– Data Science Writing Services
– Mathematics Assignment Writing Services
– Social Science Writing Services