PERSONNEL AND

INFORMATION
SECURITY
2

PERSONNEL SECURITY
3 INTRODUCTION

• Personnel Security, as its name implies deals with

people.
• It covers policies and procedures that seek to
manage the risk of people who have legitimate
access to an organization’s assets.
• It is about securing a company or a firm from
insiders or employees who are authorized to
enter the company premises.
4 AREAS COVERED BY
PERSONNEL SECURITY
• Personnel screening
• Background checks and lifestyle checks
• Security Education – includes:
• whistleblower programs,
• employee surveillance, and
• employee loyalty programs
• Security clearance system
5 THE ROLE OF INTELLIGENCE IN
PERSONNEL SECURITY
• To determine the reliability and suitability of applicants;
• To determine that employees remain loyal to and are not
stealing from the company;
• To gather information and identify situations, involving persons
working with or for the company, that could lead to loss (risk
analysis) and come up with suitable solutions (risk
management)
• To gather information about people that would aid the
security force to better protect the interests and assets of the
company.
6 INTELLIGENCE IN
PERSONNEL SCREENING

• Focus on information about

employees
• Employees must agree to be
subject to investigation
7 OBJECTIVE OF BACKGROUND
INVESTIGATIONS
• The main activity of background investigations is
validation of information. This also involves
finding out if there is willful withholding of
information pertinent to employment. In other
words, the investigator must also find out if there
is derogatory information that the applicant
knowingly withheld in his application that could
impact whether he will be hired or not.
8 DIFFERENCE BETWEEN SECURITY
& HR
• Take note that the objectives of the security
department differs from and even conflicts
with the personnel department when it
evaluates a job applicant. The security
department wants to keep out dishonest
applicants, while the personnel department
seeks to fill up, as fast as possible, job
vacancies.
9 PERSONNEL SCREENING

• The objective of personnel screening is to prevent theft

by employees.
• A goal of personnel screening is convince employees that
they would be caught if they steal from the company.
• Basic to the effectiveness of any personnel security
program is the cooperation of the employees.
• The best place to start any personnel security program is
the screening of applicants.
10 PERSONNEL SCREENING

• SCREENING – is the process of finding the best-

qualified person for the job, in terms of both skills
AND personal integrity.
• Rejection of job applicants with dubious characters,
or those considered as “BAD RISKS”, must be on
the basis of carefully established standards.
• Standards must be met in every particular case, and
not on a selective basis.
11 “RED FLAGS” IN AN APPLICANT’S
BACKGROUND
• Instability in personal relations;
• Lack job stability;
• Declining salary history, or are taking a cut in pay
from the previous job;
• Unexplained gaps in employment history;
• Clearly overqualified;
• Unable to recall or are hazy about relevant
information in the recent past.
12 BACKGROUND AND
LIFESTYLE CHECKS
• Many employees turn bad only once they are
already employed.
• A LIFESTYLE CHECK is a system of checking the
lifestyle of certain employees and to determine
whether or not changes in lifestyle are
explainable by legitimate sources of income.
13 BACKGROUND AND
LIFESTYLE CHECKS
• Continuous background check is important in order
not only to keep tabs on an employee’s personal
information (residence, marital status, etc.), but also
for purposes of determining changes in lifestyle, that
may be a result of illegal activities.
• Background checks should also be done if an
employee is a candidate for promotion to a more
responsible or sensitive position.
14 NONDISCLOSURE OF PROPRIETARY
INFORMATION STATEMENT

• Needed if your company has proprietary information

or need to protect certain trade secrets that may be
accessible to vendors and suppliers.
• All concerned individuals should sign a non-disclosure
agreement promising not to divulge proprietary
information.
• This practice sends a strong signal that your company
would exercise all legal means to protect its secrets.
15 EXIT INTERVIEWS AND
DEBRIEFING
• Exit interviews allow you to find out the real
reason why employees resign.
• It also gives you an opportunity to get
information or feedback regarding how the
company is run.
• Exit interviews can be used to gather information
of illegal practices being done within the company.
16 SECURITY DEBRIEFING

• For employees assigned to sensitive positions

• Said employees must be formally informed about the tighter
information security protocols that they need to follow.
• After these employees leave the company or are reassigned
to a less sensitive information, a security debriefing is
again required to remind them of their continuing
responsibility to protect the information that they had
access to.
17 HOW TO CONDUCT DEBRIEFING

• Debriefing should be established as a formally

conducted procedure for all individuals leaving
the company.
• Pertinent extracts of the regulations on security
should be read and explained to the individual.
• Obtain a signed statement from the individual
indicating that he is aware of his continuing
security responsibility.
18 UNDERCOVER OPERATIONS

• The key is the secrecy of the agents’ true intentions

and identity.
• More than one agent is usually employed.
• The ability of the agent to successfully infiltrate the
organization without standing out is very important.
• Undercover operations are costly and need some
time in order to succeed.
19

INFORMATION SECURITY
 20 PROTECTION OF SENSITIVE
INFORMATION

Information security is all about protecting information

that a company considers vital or important to its
business and not readily accessible by outsiders.
21 WHAT DO INFORMATION THIEVES
WANT?

• Marketable data (SSS numbers, credit card

numbers, bank accounts, etc.)
• Sensitive business information
• Information about the network
infrastructure that could be exploited
22 MANIFESTATIONS OF OUTSIDE
ATTACKS BY INFORMATION THIEVES

• Exploiting a trust relationship

• Obtaining an authentication credential
(login and password, access card, etc.)
• Usurping a trusted access channel (hacking
into a vendor, supplier, or customer’s
channel)
23 MANIFESTATIONS OF OUTSIDE
ATTACKS BY INFORMATION THIEVES

• Social engineering (pretending to be

someone legitimate)
• Researching for sensitive information in
the Internet
• Technical ways of hacking
24 PROTECTION OF SENSITIVE
INFORMATION
Some of the basic principles :

• Information need not be lost in order to

be compromised or “stolen”.
• Information needs to be known in order
to be useful.
25 DEFINITION OF TERMS

Proprietary Information – Is information, which in some

special way, is related to the status, operations or activities of
the possessor over which the possessor asserts ownership.

Trade Secret – may consist of any formula, pattern, device

or compilation of information which is used in one’s business
and which gives him an opportunity to gain an advantage over
competitors who do not know or use it.
26 DEFINITION OF TERMS

• Information – Means any knowledge that can be

communicated or documentary material.
• Control – Means the authority of the agency that
originates information, or its successor in function, to
regulate access to the information.
• Classified information – Means information that
has been determined to require protection against
unauthorized disclosure.
27 DEFINITION OF TERMS

• Unauthorized disclosure – Means a

communication or physical transfer of classified
information to an unauthorized recipient.
• Proprietary Information – Is information,
which in some special way, is related to the status,
operations or activities of the possessor over
which the possessor asserts ownership.
28 TARGETS FOR INDUSTRIAL
ESPIONAGE
• Romantic partners
• Personnel who can be tempted to change
careers
• Trash cover
• Employees
• Consultants
• Company in-house publications
29 QUESTIONS TO ASK IN PREPARING AN
INFORMATION SECURITY POLICY:

• What documents are sensitive, and which

security zones will protect them?
• What level of monitoring will be applied to the
business channels?
• Will content security monitoring be able to
employ a variety of pattern recognition
methodologies?
• How will image files be examined?
30 QUESTIONS TO ASK IN PREPARING AN
INFORMATION SECURITY POLICY:

• How will encrypted documents and

communications be handled?
• Will monitoring be able to detect files that
employ distorted text schemes?
• What is the policy on the use of digital cameras?
• What level of education or training will
employees undergo regarding industrial
espionage?
31 SUGGESTED SECURITY MEASURES

• Responsibility for information security must

be defined, assigned and announced.
• Security audits should be regularly performed,
and where deficiencies are noted, corrected.
• Employees should be continuously reminded
of their continuing responsibility to protect
the company’s SI.
32

END OF PRESENTATION