20 Sep With the increase in telework options at companies, the company must have IT security policies in place for mobile devices used by employees. Review the following article and respond t
With the increase in telework options at companies, the company must have IT security policies in place for mobile devices used by employees. Review the following article and respond to the questions below.
Friedman, S. (2020). NIST issues security guidance for teleworking, establishing remote access. Inside Cybersecurity (Attached)
> In your current or previous work experience (tech, software engineer), did the company follow the IT practices suggested in the article or chapter reading?
> Why is it important that proper training be provided to employees?
> What are some common threats that might result from improper or missing training?
> What in the article or chapter reading surprised you the most?
The article and chapters are attached. Need 3 pages with peer-reviewed citations. Use a Tech company. No introduction or conclusion needed.
7
Mobile devices
Mobile devices and teleworking
Control objective A.6.2 of ISO27002 is to ensure information security when mobile or when working remotely. The protection required should, of course, be proportional to the risks identified (through a risk assessment). Many of the issues related to both mobile working and teleworking have been touched on elsewhere in this book. These include issues around infor- mation classification (Chapter 9), equipment security (Chapter 16), virus control (Chapter 18) and access control (Chapter 11). The two sub-clauses deal, respectively, with mobile computing and teleworking.
Mobile computing
Control 6.2.1 of ISO27002 says the organization should have in place a formal policy and appropriate controls to protect against the risks of work- ing with mobile computing facilities, particularly in unprotected locations. If the organization has a BYOD (‘Bring Your Own Device’) policy, this is where it would primarily occur within the ISMS.
Any organization that operates a mobile computer network – and a Blackberry or smartphone network would count – should take specific steps to protect itself. These controls may also be relevant in respect of staff accessing organizational assets from their own private mobile devices. If it also has teleworkers, this policy for mobile computers could be integrated with that for the teleworkers. The first step is to design and adopt, within the ISMS, a mobile computing policy, which must be accepted in writing by those who wish to use mobile facilities before they are allowed to. The sensi- ble organization will also ensure that users receive appropriate training before they are issued with mobile computing equipment (notebooks, smart- phones).
IT GOVERNANCE116
This policy should consolidate all the procedures discussed elsewhere in this manual in respect of mobile computing and handheld usage. It should set out clearly the requirements for physical protection, access controls, cryptography, back-ups and malware protection. It should include clear guidance on how to connect to the organizational network and how mobile tools should be used in public places. ‘Public places’ include meeting rooms outside the organization’s own secure premises and wherever notebooks and handhelds remain tempting targets for hackers and thieves, who can have as much impact on the availability of data as a particularly virulent virus. Guidance on where mobile devices may be used, and for what purposes, should also be provided, with due consideration being given to who may be able to see or hear what is being ‘processed’.
The organization will need to develop an effective method of ensuring that anti-malware protection is completely up to date on mobile computers (which are also known as ‘endpoints’, reflecting the reality that for many networks, it is the notebook and mobile devices that exist beyond the secure corporate perimeter that are the endpoint for corporate security activity). This is best done by using an automatic update service that updates all computers the moment they log on to the organizational network. It is important that the mobile user is not given any authority to override this update and is not able to proceed until the update is complete. This principle should extend to ensuring that the software is fully patched, with all service packs installed; it is not unknown for someone whose primary use of a laptop is for e-mail to avoid actually logging on to the system for months on end, with the consequence that many patches and service packs are not installed. End-point security products have emerged to deal with these specific issues.
Where remote users access organizational facilities, strong authentication should be used, which makes use of strong protocols. Consideration should be given to authenticating the machine as well as the user to provide for the situation where a notebook has been stolen and the user authentication information compromised. The situations where this will be necessary should be identified through the risk assessment.
Back-up procedures (using, for instance, web-based data back-up services) are very important; unlike the requirement that should be in place for computers on a fixed network (no data stored on the C: drive), mobile computers may have all their data stored on the C: drive. The requirement for regular individual back-ups, together with a workstation configuration that automatically backs up the ‘My Documents’ folder to the main server
MOBILE DEVICES 117
when a laptop is logged on to the network (over an appropriate connection), combined with a requirement that any physical back-up media are appro- priately protected from theft, loss or degradation (issue protective, lockable boxes), is essential.
Physical security (ensuring that unattended notebooks are locked away and/or fitted with security locks and that notebooks with sensitive informa- tion are encrypted and are never left unattended) is an equally important component of an effective mobile computing policy. Given the ridiculously high number of laptops and smartphoness that are lost, stolen or otherwise go missing every year, organizations need to develop specific reporting and recovery procedures based on a risk assessment that includes any legal or insurance issues that may be relevant to the organization. Users should be physically trained in how to do these and should demonstrate that they know how to before they are released into the world with a notebook or handheld.
The proliferation of wireless networks, wireless networking facilities and public wireless access spots has brought a new dimension to mobile comput- ing security. The fact that an individual can access a public wireless network (from, for instance, an airport lounge or a coffee shop) is both extremely convenient and potentially very dangerous. It can be more dangerous than accessing the internet through a fixed link, in that a wireless computer is broadcasting information to the wireless access point – and, therefore, all that information is available to anyone who is interested in it.
A widely deployed security standard deployed on laptop computers is still (Wired Equivalent Privacy). It does not give the privacy of a wired equivalent; it is insecure, and there are many websites that provide informa- tion on its inadequacies and how to attack WEP, to decrypt current traffic, to inject new unauthorized traffic or, ultimately, to access the laptop itself. The default configuration for laptops should be that WEP is switched off. It is just as important to secure laptops that may use public access points to access corporate networks; WPA (preferably WPA2) and VPNs should be part of the basic security configuration.
It is essential that before any laptops are issued to mobile users, the organization carry out a risk assessment, and deploy those technological controls (which themselves are evolving quickly) that are most likely to minimize the threat to the organization arising from wireless vulnerabilities.
Increasingly, mobile phones and smartphones are falling within the cate- gory of information processing devices that this section is designed to address, and they should therefore, as previously indicated, also be subject
IT GOVERNANCE118
to appropriate controls determined as the result of a risk assessment. Clearly, consideration needs to be given to the logical boundaries between organiza- tional data and the systems, software and Apps on smartphones, which takes us back to the BYOD issues identified earlier.
Teleworking
Control 6.2.2 of ISO27002 says the organization should develop policies, operational plans and procedures to authorize and control teleworking activities. Where the organization has both teleworkers and mobile workers, the two policies should be integrated. Teleworking has increasingly become an extension of mobile working, rather than being simply one or a few work- ers based outside the organizational perimeter and accessing the network from time to time. The only significant difference between the two is that teleworking involves a fixed base and fixed connection to the organizational network; more information and more extensive facilities tend to exist in the teleworking location. The location itself, usually an employee’s home, does not have anything like the physical security that might be available in the workplace and is also vulnerable to domestic thieves.
There are particular controls that should be considered for teleworkers, and these should reflect a risk assessment and be incorporated into a formal policy within the ISMS. The teleworker should be required to sign a suitably modified version of the access agreement discussed in Chapter 12. A NIST publication, Security for Telecommuting and Broadband Communications, SP 800–44, available from the NIST website (https://csrc.nist.gov (archived at https://perma.cc/Z5WL-42XB)), is designed to help system administra- tors and users tackle the information security issues around these areas, and while written for a US audience, it is of value elsewhere. There are also issues of health and safety that will need to be considered, but these are outside the scope of this book.
The risk assessment should consider specific issues in relation to remote locations. Where the organization has a substantial number of teleworkers (eg staff working from home, either permanently or infrequently but regu- larly), it might consider a standardized form of risk assessment that looks for exceptions to minimum requirements, can be carried out at a distance and depends on employee information for completion. This input should be subject to random physical checks. If the system is too complex and
MOBILE DEVICES 119
time-consuming to set up, the benefits to be gained from teleworking will be outweighed by the work it requires to set someone up.
A key issue to consider, for teleworkers, is the physical security of the site. The organization should look at the physical security of the proposed build- ing (usually a house) and also take into account the security of the surrounding area. The teleworking environment within the building should also be considered: is it a separate office or is it in a communal area? The communications requirement should be assessed; this should take into account the information classification, the underlying linking technology and the sensitivity of the system to which it links. Lastly, the threat of unau- thorized access to the facilities (including from family and friends) should also be assessed.
There are a number of controls that might be considered and that should be included in the teleworking policy. As with the mobile working policy, teleworkers should not be authorized to start activity until they are satisfac- torily trained. The controls should include provision, by the organization, of suitable and adequate equipment and appropriate furniture that make stor- age and proper usage possible. Consideration should be given to printers, files, peripheral drives and safety equipment such as anti-glare screens and wrist rests that might be available in the workplace. Full-size screens, keyboards and mice might also be appropriate.
The permitted work should be defined, including the hours of work and the classification of information that may be held at, or accessed from, the location. The organizational systems and services that the user is authorized to access should also be described. Appropriate communication equipment should be provided (internal modem, ISDN, ADSL, broadband, etc, depend- ing on communication needs, available technology and the cost–benefit analysis), and how secure remote access is ensured must also be decided. Physical security – how the equipment is to be protected against breakage and theft – is as important as the establishment of appropriate insurance cover for it (it should not be left to the employee to organize cover under a household policy, as this will usually not be applicable). There should be rules about what access families and friends can have to the facilities and to the equipment. Critically, these must take into account any other devices that may run on a home network and any wireless devices or wireless networking. Appropriate steps should be taken to provide hardware and software support and maintenance; usually this includes an extended service from the organizational helpdesk staff, whose hours will need to be extended
IT GOVERNANCE120
to cover home working and whose skills will need to encompass their pecu- liar problems.
There are specific issues that will need to be addressed if the teleworker is going to use privately owned equipment. One such issue could be that of ownership of business ideas or intellectual property developed on privately owned equipment either during or after working hours, and this issue should be addressed (depending on the risk assessment) with the help of the organ- ization’s professional legal advisers; appropriate clauses, which should also cover dispute resolution, should be inserted into the teleworker’s access agreement. Other issues specific to privately owned equipment include the need for the organization to access the equipment (either to check security or as part of an investigation); software licensing agreements consequent upon the deployment to a private machine of organization-specific software; and requirements about the level of firewall and anti-malware protection. Like the IP issue, these should all be addressed in the light of a risk assess- ment and with professional advice that informs the teleworker’s access agreement.
There should be clear rules about back-up, anti-malware and continuity plans, with appropriate resources provided to make this as easy as possible. It should be borne in mind that the risks to the organization are greater in relation to individual teleworkers than in relation to individual users on the organizational network.
Teleworkers should certainly be subject to audit and monitoring just as for any other person attaching to the network, and there should also be a documented process for revoking general or specific teleworking authoriza- tions and to ensure that all equipment is returned.
8
Human resources security
Clause 5.1 of the standard requires the organization to ensure that the resources needed for the ISMS area available and clause 7.2 requires that that whoever is assigned an ISMS-related task has the necessary compe- tence. The HR aspects of two clauses can be satisfied at the same time as the relevant HR controls are implemented.
Clause 7.2, in particular, requires the organization to determine what competences are necessary for those doing work within the ISMS, and then to ensure (by assessment and evaluation) that these persons are actually competent, providing relevant education, training or experience, and to keep appropriate documentary evidence. Note that ‘persons doing work under organization’s control’ can extend to volunteers, associates and contractors as well as full-time employees.
Section 7 of ISO27002 is structured to deal with human resources secu- rity in a way that covers the three stages of employment: pre-employment, during employment and post-employment. Control 7.1 of the standard deals with pre-employment security issues. The objective of this clause is to ensure that employees and contractors are suitable for their roles, and understand their information security responsibilities. Control 7.1.1 deals with pre-employment screening, and 7.1.2 deals with contracts and roles and responsibilities in respect of the ISMS and information security within the organization. This should include both general and specific responsibilities.
Job descriptions and competency requirements
Every job description should contain: 1) a description of the competencies required for the role; and 2) a statement to the effect that every employee is required to be aware of the organization’s policy on information security
IT GOVERNANCE122
(a copy of the policy might be attached to the job description) and to take whatever actions may from time to time be required of him or her under the terms of the organization’s ISMS. In particular, the employee’s attention should be drawn to the responsibility to protect assets from unauthorized access, disclosure, modification, destruction or interference, the information classification and handling rules, the access controls (both physical and logi- cal), the incident reporting procedure, the requirements to carry out any other specific procedures and processes, the requirement personally to improve competence and skills in this area, and the fact that the employee will be held accountable for his or her acts of commission and omission. The job description should set out clearly that breach of information security controls may be considered a misdemeanour under the organization’s disci- plinary policy and that breach of them might, under specific circumstances, result in dismissal.
Specific requirements should in addition be included in the job descrip- tions of particular individuals. If the organization prefers not to identify required competencies for all roles, it will at least be necessary to do so for those involved in the ISMS. The people who should be considered for such specific requirements include:
●● the chief information and/or the chief information security officer;
●● the information security adviser;
●● members of the information security management forum;
●● IT managers;
●● network and website managers;
●● IT, website and helpdesk support staff;
●● premises security staff;
●● HR, recruitment and training staff;
●● general managers;
●● finance staff;
●● the company secretary and legal staff;
●● the business continuity and emergency response team.
People in each of these functions (and there are likely to be others – each organization is different and each organization needs to make arrangements that are appropriate to it) are likely to have a direct impact on the effective- ness of implementation of the information security policy and the ISMS.
HUMAN RESOURCES SECURITY 123
While Chapter 4 contained an initial discussion of the generic responsibili- ties that apply to particular functions, the only effective way to ensure that all information security responsibilities are captured will be for the members of the information security management forum to work through all the clauses of the standard, identifying which members of staff will be responsi- ble for implementing the clause or will be affected by it. These responsibilities should then be included in the job descriptions for these people.
This analysis should be underpinned by a review of all the roles, func- tions and employment levels of staff within the organization; this review should consider what responsibility, if any, people in given roles will have in ensuring the confidentiality, integrity and availability of information in the organization. The conclusions of this review should be compared with those generated by the analysis carried out on the basis of the clauses of the stand- ard. A statement of information security responsibility that combines both outputs should then be the final form of the amendment to the job description.
This statement of information security responsibility could either have a separate headlined and complete paragraph in the job description, in which case the member of staff affected should sign and date a copy of the amended job description, or there should be a separate statement attached to the job description and referred to in the job description, in which case both docu- ments should be signed and dated by the employee. The signed document should then be retained on the individual’s personnel file.
As part of any arrangements with third parties that involve their access to the organization’s information assets, security roles and responsibilities that match those required by the organization should be implemented by the third party and appropriately monitored by the organization.
Screening
Control 7.1.1 of ISO27002 deals with verification checks on permanent staff and contractors at the time of job applications. The organization should identify who will be responsible for carrying this out, how it will be done, how the data will be managed and who will have what authority in respect of the data and the recruitment process. Any screening and data collection activity must be carried out in accordance with the relevant local legislation. There is, in some roles, a legal requirement to carry out criminal screening, and there are clearly risks in taking unknown staff into the organization, not just in terms of fraud and confidentiality but also in terms
IT GOVERNANCE124
of integrity and availability. An inadequately experienced IT staff member could mismanage a vital server or application in such a way that informa- tion availability and integrity are compromised. This clause provides more information about the type of verification envisaged. It sets out five basic checks that should be completed:
1 Character reference checks, one personal and one business. These should, for preference, be written, but a substitute might be a signed and dated detailed note of a telephone reference given by a nominated third party to a competent (ie experienced in carrying out telephone reference checks) member of the organization’s staff.
2 A completeness and accuracy check of the employee’s curriculum vitae; this is usually carried out by means of written references supplied by previous employers or third-party organizations, and most employers will already have standard documents that are sent out to guide these third parties in replying. It is critical that the employer is methodical in ensuring that all facts are corroborated and that all forms are returned, duly completed, by previous employers. Where they are not returned within a defined time period (which should be short – perhaps 10 days at the outside), the organization should arrange to complete the form by means of a telephone interview with the previous employer.
3 Confirmation of claimed academic and professional qualifications, either by means of obtaining from the candidate copies of the certificates or other statement of qualification or through an independent CV checking service. These firms can, for a nominal sum, carry out detailed CV checks (including the checking of academic and other qualifications) that would satisfy the requirements of both point 2 above and this point 3.
4 There should be an independent identity check against a passport or similar document that shows a photograph of the employee.
5 A more detailed review of the individual’s credit history and/or criminal record may be appropriate for those who will have access to more sensitive information. These checks are available from specialist providers.
6 Finally, and this is in addition to the ISO27002 list, the individual’s entitlement to live and work in the country should be confirmed, by reference to appropriately endorsed travel or work documents.
Where a job, either on initial appointment or on promotion, involves access to information processing facilities, and particularly if it involves processing sensitive (financial or highly confidential) information, there should also be
HUMAN RESOURCES SECURITY 125
a credit check. Where individuals have considerable authority in their posi- tion, this check should be repeated regularly, either quarterly or annually as appropriate.
Normal practice would be that, while a draft contract is agreed between the prospective employee and the organization, it is not signed and the employee does not start work until the checks have been completed. Depending on the outcome of a risk assessment, some organizations might choose to allow people to start work, particularly in roles that deal with only a low level of information, subject to satisfactory references; in these circumstances, it is necessary to set a time limit within which the reference checking will be complete. The contract of employment will usually not be signed by the organization until the reference checks are completed, and if they are unsatisfactory or not completed within the allocated time, the employee is dismissed. A similar process should be carried out for tempo- rary or agency staff and contractors.
Where the staff are supplied by another organization (and this is often the case with IT staff, who are often directly employed by or contracted to the agency concerned), the contract with the third party should set out clearly its responsibility to carry out checks to a similar level. The contract also needs to set out what steps the agency has to take where answers to the screening process have been unsatisfactory or the process itself has not been completed. At the very least, these should include informing the employing organization, and in full, without delay, offering to replace any individual who has already started work, immediately and at no additional cost. The contracting organization should have adequate professional indemnity insurance, and this should be checked by obtaining and keeping on file a copy of the current insurance certificate.
While this may be relatively easy to implement for future hires, the organ- ization has to decide what to do in respect of existing staff. It will not be sufficient simply to adopt the approach that because the staff are already there, there will be no problems. Undoubtedly, the correct approach to this situation is to ensure that the organization has records for existing staff of equivalent completeness to those required for new hires. It will be important that existing staff are made aware that this process is to be carried out and that it will be done openly and quickly.
Statistically, the likelihood is that every organization will discover that one or more members of its staff have incorrect or false CVs. Each of these instances will have to be tackled, and the organization will have to judge the extent to which the individual threatens its information security; the
IT GOVERNANCE126
organization’s direct experience of the employee in the work environment may provide sufficient evidence to act on or to set aside the inaccuracy in the CV. If it is to be set aside, the employee should certainly be made aware that the inaccuracy was uncovered, and the reasons for its being set aside should be explained. This simple step can help the employee avoid such behaviours in the future.
New and/or inexperienced staff may, at certain times, have to be author- ized to have access to sensitive systems. The company should identify what level of supervision will be required in such circumstances and ensure that it has in place a procedure for providing the appropriate level of supervision. The performance of all staff in respect of information security, particularly those who have access to sensitive information, should be reviewed on a regular basis (at least annually) and appropriate steps taken to ensure that the standards set by the organization are maintained. This review can be by means of one or more questions that are incorporated into an existing annual appraisal system.
At annual reviews, and on a day-to-day basis, line managers within the organization should be aware of unusual behaviour by members of staff that may be signs of stress, personal problems or financial challenges. Apart from the human benefits of helping employees deal with these challenges, such issues have been known to affect people’s performance negatively (which may, of course, have implications for information security) and may also lead some individuals to commit crimes or fraud. Managers should be appropriately trained to spot and handle these situations within the restric- tions of the relevant legislation.
Personnel vetting levels in respect of UK government information can vary according to the classification of material that the job holder will normally need to access. If you require advice on the application of clear- ance levels in this context, the appropriate department security officer will be able to advise you.
Terms and conditions of employment
Control 7.1.2 of ISO27002 says the organization should ensure that employ- ees and contractors all agree and sign an employment contract that contains terms and conditions covering, inter alia, their and the organization’s responsibilities for information security. These terms and conditions should include a confidentiality agreement, constructed in accordance with local
HUMAN RESOURCES SECURITY 127
legal guidance, that covers information acquired prior to and during the employment and the effect of which should continue beyond the end of the employment.
This confidentiality agreement should be drafted by the organization’s lawyers. It should form an integral part of the contract of employment, so that acceptance of terms of employment automatically includes acceptance of the confidentiality agreement.
There are circumstances in which someone who is working for the organ- izatio