Fri Dec 5 09:28:48 PST 2014

Management: Personnel: How should the personnel issues with information protection be managed?


Options:

Option 1: HR department handles or is involved in all substantial personnel issues.
Option 2: Life cycles associated with personnel are tracked and used to make decisions about behaviors and authorizations.
Option 3: Awareness levels are tracked and, when inadequate to the task, upgraded before continued use.
Option 4: Knowledge as shown by qualifications and suitability for tasks is tracked and used to determine suitability for jobs.
Option 5: Trustworthiness is determined to map personnel with risk in analyzing protection issues.
Option 6: History is used to analyze trustworthiness and suitability for jobs and clearances.
Option 7: Special capabilities or talents are tracked and used to assist in task assignments.
Option 8: Intent as expressed by individuals is used to assess trustworthiness and suitability for tasks and jobs.
Option 9: Modus operandi is used as an indicator of future behavior.
Option 10: Changes of employment status, job title, etc. are integrated into roles and authorization decisions.
Option 11: Clearances and need to know are tracked for personnel dealing with high consequence content and systems.
Option 12: Identity management (IdM) is integrated with personnel systems to assure that records and mechanisms are authoritative and timely.

Decision:

For the defined maturity and risk levels, all of the identified issue should be addressed. Choose ALL that apply (+ indicates "or higher", - indicates "or lower").
Maturity Risk Level Issue Status
All All HR department handles or is involved in all substantial personnel issues.
Managed+ Medium+ Life cycles associated with personnel are tracked and used to make decisions about behaviors and authorizations.
Defined+ Medium+ Awareness levels are tracked and, when inadequate to the task, upgraded before continued use.
All All Knowledge as shown by qualifications and suitability for tasks is tracked and used to determine suitability for jobs.
Defined+ High Trustworthiness is determined to map personnel with risk in analyzing protection issues.
Defined+ Medium+ History is used to analyze trustworthiness and suitability for jobs and clearances.
Managed+ Medium+ Special capabilities or talents are tracked and used to assist in task assignments.
Managed+ Medium+ Intent as expressed by individuals is used to assess trustworthiness and suitability for tasks and jobs.
Defined+ Medium+ Modus operandi is used as an indicator of future behavior.
Managed+ Medium+ Changes of employment status, job title, etc. are integrated into roles and authorization decisions.
Managed+ High Clearances and need to know are tracked for personnel dealing with high consequence content and systems.
Repeatable+ Medium+ Identity management (IdM) is integrated with personnel systems to assure that records and mechanisms are authoritative and timely.
Management of personnel issues

Basis:

HR department handles or is involved in all substantial personnel issues.
Personnel security issues focus on people involved in protection process and verification that they meet the necessary and appropriate standards and qualifications required for their duties. As such, it is the responsibility of HR to make certain that all appropriate functions are done and within the confines of applicable laws.

Life cycles associated with personnel are tracked and used to make decisions about behaviors and authorizations.
Life cycles associated with personnel generally involve conception, pregnancy, birth, education, marriage, divorce, training, hiring, promotion, demotion, suspension, vacation, illnesses, leaves, job changes, moves, resignation, termination, retirement, death, and legacy issues. All of these interact with information protection issues in one way or another.

Awareness levels are tracked and, when inadequate to the task, upgraded before continued use.
Awareness levels in defined areas should be tracked to assure that all personnel have appropriate awareness of key issues associated with their job functions and that those who are not properly qualified and aware are not permitted to do things that require that level of awareness. At a minimum, security awareness programs have to touch each individual in an enterprise every 6 months to be effective at keeping levels high enough for effect.

Knowledge as shown by qualifications and suitability for tasks is tracked and used to determine suitability for jobs.
Knowledge associated with personnel helps to determine qualifications and suitability for tasks and jobs. Knowledge tends to be tracked to degrees and related programs, job history, and defined areas of expertise within the enterprise. Advanced degree programs tend to be reimbursed by the company if job-related and these are also tracked in the enterprise.

Trustworthiness is determined to map personnel with risk in analyzing protection issues.
Trustworthiness is hard to assess, but trust is often granted based on limited experience. Many of the least trustworthy people are the most trusted because professional confidence operators are very skilled at displaying the things that generate trust even though it is not deserved. Many companies place excessive trust in insiders and suffer the consequences. A systematic approach to evaluation of trust, including time in position and life-related characteristics is more effective at predicting trust-related behavior than non-measurable qualities associated with personal friendships and liking.

History is used to analyze trustworthiness and suitability for jobs and clearances.
History is often cited as the best predictor of future performance. Background checks and detailed information from personnel records and references tends to produce historical information about personnel that helps make reasonable and prudent decisions in this space. Missing history information on individuals in personnel records is a strong indicator of potential abuses of the system and should lead to detailed investigations.

Special capabilities or talents are tracked and used to assist in task assignments.
Capabilities associated with individuals help lead to their assignment to suitable tasks. Specific individuals have special talents or training that produces capabilities that are unusual or hard to train or find. These should be identified for specific information protection tasking.

Intent as expressed by individuals is used to assess trustworthiness and suitability for tasks and jobs.
Intents are more difficult to understand than capabilities. However, indicated intents are often provided in letters, writings, and similar materials and should generally be explored as indicative of likely behaviors. Group memberships and similar factors tend to indicate intent, particularly in groups with widely declared intents such as animal rights groups, ecological groups, and so forth.

Modus operandi is used as an indicator of future behavior.
Modus operandi is typically associated with criminal behavior, but all people display methods of operation that tend to be reproduced over time. This is useful as an indicator for future tracking and attribution as well as for understanding how likely interactions will take place and be received.

Changes of employment status, job title, etc. are integrated into roles and authorization decisions.
Roles are typically associated with groups of individuals and individuals may be associated with many roles, depending on their tasking within the enterprise. These roles are then translated into authorizations associated with functions on systems. People are moved from role to role as they move from job to job, with the roles refilled for operational continuity. Changes of employment status, job title, responsibilities, and so forth are all issues that involve information protection functions such as access to systems. Change tracking for personnel and integration into accounts in information systems, access passes, and so forth are critical to effective protection.

Clearances and need to know are tracked for personnel dealing with high consequence content and systems.
Clearances are generally associated with individuals. These are generated through formal processes, screened by authorized screeners, and tracked and maintained by personnel systems. Clearances reflect levels of trust relative to applicable standards. Need to know information relates to specific work areas and projects. This too is tracked by personnel-related records and must be protected to guard projects against systematic exploitation of associated individuals.

Identity management (IdM) is integrated with personnel systems to assure that records and mechanisms are authoritative and timely.
Identity management (IdM) interfaces provide for interactions between the identity management system and personnel, systems, and others tasked with making decisions about individual access. They are typically integrated with personnel systems to assure that records are up to date with authoritative sources.

Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved