Computer Security:

Principles and Practice

Fourth Edition, Global Edition

By: William Stallings and Lawrie Brown

Chapter 17
Human Resources Security
Security Awareness, Training,
and Education

The topic of security awareness, training, and

education is mentioned prominently in a
number of standards and standards-related
documents, including ISO 27002 (Code of Practice
for Information Security Management) and NIST SP
800-100 (Information Security Handbook: A Guide
for Managers).
Benefits to Organizations
Human Factors
 Table 17.1
Comparative Framework
 Awareness
• Seeks to inform and focus an employee's attention on
security issues within the organization
• Aware of their responsibilities for maintaining security and
the restrictions on their actions
• Users understand the importance of security for the well-
being of the organization
• Promote enthusiasm and management buy-in
• Program must be tailored to the needs of the
organization and target audience
• Must continually promote the security message to
employees in a variety of ways
• Should provide a security awareness policy
document to all employees
NIST SP 800-100 ( Information Security Handbook: A
Guide for Managers ) describes the content of
awareness programs, in general terms, as follows:

“Awareness tools are used to promote information security

and inform users of threats and vulnerabilities that impact
their division or department and personal work environment by
explaining the what but not the how of security, and
communicating what is and what is not allowed. Awareness not
only communicates information security policies and procedures
that need to be followed, but also provides the foundation for
any sanctions and disciplinary actions imposed for
noncompliance. Awareness is used to explain the rules of
behavior for using an agency’s information systems and
information and establishes a level of expectation on the
acceptable use of the information and information systems.”
Training
 Education
• Most in depth program
• Targeted at security professionals whose
jobs require expertise in security
• Fits into employee career development
category
• Often provided by outside sources
• College courses
• Specialized training programs
Employment Practices and
Policies
• Managing personnel with potential access
is an essential part of information security
• Employee involvement:
• Unwittingly aid in the commission of a violation by
failing to follow proper procedures
• Forgetting security considerations
• Not realizing that they are creating a vulnerability
• Knowingly violate controls or procedures
 Security in the Hiring
Process
• Objective:
• “To ensure that employees, contractors and third party users
understand their responsibilities, and are suitable for the roles they are
considered for, and to reduce the risk of theft, fraud or misuse of
facilities”

• Need appropriate background checks and

screening
• Investigate accuracy of details

• For highly sensitive positions:

• Have an investigation agency do a background check
• Criminal record and credit check
 s i g n the
and
y ees shou
i o ns
r
o
ee
ld ag f their
to
s ho ul d
Employment
l o i t
Emp and cond tract, whic h
terms yment con
emplo e: iz a t i
organ formation
o nal Agreements
includ loyee a n d
for in
I. Emp nsibilities
respo ty
securi a n d non-
d e nt i ality ent
. A confi re agreem
II
disclos
u
n i za t ion's
t o t h e orga
R e fe rence olicy
III. ecurity p t he
s t h a t
le d g ementewed and
A ck now has revi e policy
IV. mployee ide by th
e s to ab
a g ree
 Part 2:
During Employment
Termination of Employment
• Termination security objectives:
• Ensure employees, contractors, and third party users exit
organization or change employment in an orderly manner
• The return of all equipment and the removal of all access
rights are completed
 Email and Internet Use Policies
• Organizations are incorporating specific e-mail
and Internet use policies into their security
policy document
• Concerns for employers:
• Work time consumed in non-work-related activities
• Computer and communications resources may be
consumed, compromising the mission that the IT resources
are designed to support
• Risk of importing malware
• Possibility of harm, harassment, inappropriate
online conduct
Suggested Policies
 Security Incident
Response
• Response procedures to incidents are an essential control
for most organizations
• Procedures need to reflect possible consequences of an incident on
the organization and allow for a suitable response
• Developing procedures in advance can help avoid panic

• Benefits of having incident response capability:

• Systematic incident response
• Quicker recovery to minimize loss, theft, disruption of service
• Use information gained during incident handling to better prepare
for future incidents
• Dealing properly with legal issues that may arise during incidents
Computer Security Incident
Response Team (CSIRT)
Security Incidents
Table 17.2

Security
Incident
Terminology
 Detecting Incidents
• Incidents may be detected by users or
administration staff
• Staff should be encouraged to make reports of system
malfunctions or anomalous behaviors

• Automated tools
• System integrity verification tools
• Log analysis tools
• Network and host intrusion detection systems (IDS)
• Intrusion prevention systems
Triage Function
 Responding to Incidents
• Must have documented procedures to respond to
incidents
• Procedures should:
 Documenting Incidents
• Should immediately follow a
response to an incident
• Identify what vulnerability led to its occurrence
• How this might be addressed to prevent the incident
in the future
• Details of the incident and the response taken
• Impact on the organization’s systems and
their risk profile
 Summary
• Security awareness, • E-Mail and Internet use
training, and policies
• Motivation
education • Policy issues
• Motivation • Guidelines for developing a policy
• A learning continuum
• Computer security
• Awareness
incident response teams
• Training
• Detecting incidents
• Education • Triage function

• Employment •
•
Responding to incidents
Documenting incidents
practices and policies • Information flow for incident
• Security in the hiring process handling

• During employment
• Termination of employment