Gibson Darril

CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide


Скачать книгу

an employee should be handled in a private and respectful manner. However, this does not mean that precautions should not be taken. Terminations should take place with at least one witness, preferably a higher-level manager and/or a security guard. Once the employee has been informed of their release, they should be escorted off the premises and not allowed to return to their work area without an escort for any reason. Before the employee is released, all organization-specific identification, access, or security badges as well as cards, keys, and access tokens should be collected (Figure 2.3). Generally, the best time to terminate an employee is at the end of their shift midweek. A early to midweek termination provides the ex-employee with time to file for unemployment and/or start looking for new employment before the weekend. Also, end-of-shift terminations allow the worker to leave with other employees in a more natural departure, thus reducing stress.

Figure 2.3 Ex-employees must return all company property.

      When possible, an exit interview should be performed. However, this typically depends on the mental state of the employee upon release and numerous other factors. If an exit interview is unfeasible immediately upon termination, it should be conducted as soon as possible. The primary purpose of the exit interview is to review the liabilities and restrictions placed on the former employee based on the employment agreement, nondisclosure agreement, and any other security-related documentation.

      The following list includes some other issues that should be handled as soon as possible:

      ■ Make sure the employee returns any organizational equipment or supplies from their vehicle or home.

      ■ Remove or disable the employee’s network user account.

      ■ Notify human resources to issue a final paycheck, pay any unused vacation time, and terminate benefit coverage.

      ■ Arrange for a member of the security department to accompany the released employee while they gather their personal belongings from the work area.

      ■ Inform all security personnel and anyone else who watches or monitors any entrance point to ensure that the ex-employee does not attempt to reenter the building without an escort.

      In most cases, you should disable or remove an employee’s system access at the same time or just before they are notified of being terminated. This is especially true if that employee is capable of accessing confidential data or has the expertise or access to alter or damage data or services. Failing to restrict released employees’ activities can leave your organization open to a wide range of vulnerabilities, including theft and destruction of both physical property and logical data.

       Firing: Not Just a Pink Slip Anymore

      Firing an employee has become a complex process. Gone are the days of firing merely by placing a pink slip in an employee’s mail slot. In most IT-centric organizations, termination can create a situation in which the employee could cause harm, putting the organization at risk. That’s why you need a well-designed exit interview process.

      However, just having the process isn’t enough. It has to be followed correctly every time. Unfortunately, this doesn’t always happen. You might have heard of some fiasco caused by a botched termination procedure. Common examples include performing any of the following before the employee is officially informed of their termination (thus giving the employee prior warning of their termination):

      ■ The IT department requesting the return of a notebook computer

      ■ Disabling a network account

      ■ Blocking a person’s PIN or smartcard for building entrance

      ■ Revoking a parking pass

      ■ Distributing a company reorganization chart

      ■ Positioning a new employee in the cubicle

      ■ Allowing layoff information to be leaked to the media

      It should go without saying that in order for the exit interview and safe termination processes to function properly, they must be implemented in the correct order and at the correct time (that is, at the start of the exit interview), as in the following example:

      ■ Inform the person that they are relieved of their job.

      ■ Request the return of all access badges, keys, and company equipment.

      ■ Disable the person’s electronic access to all aspects of the organization.

      ■ Remind the person about the NDA obligations.

      ■ Escort the person off the premises.

Vendor, Consultant, and Contractor Controls

      Vendor, consultant, and contractor controls are used to define the levels of performance, expectation, compensation, and consequences for entities, persons, or organizations that are external to the primary organization. Often these controls are defined in a document or policy known as a service-level agreement (SLA).

      Using SLAs is an increasingly popular way to ensure that organizations providing services to internal and/or external customers maintain an appropriate level of service agreed on by both the service provider and the vendor. It’s a wise move to put SLAs in place for any data circuits, applications, information processing systems, databases, or other critical components that are vital to your organization’s continued viability. SLAs are important when using any type of third-party service provider, which would include cloud services. The following issues are commonly addressed in SLAs:

      ■ System uptime (as a percentage of overall operating time)

      ■ Maximum consecutive downtime (in seconds/minutes/and so on)

      ■ Peak load

      ■ Average load

      ■ Responsibility for diagnostics

      ■ Failover time (if redundancy is in place)

      SLAs also commonly include financial and other contractual remedies that kick in if the agreement is not maintained. For example, if a critical circuit is down for more than 15 minutes, the service provider might agree to waive all charges on that circuit for one week.

      SLAs and vendor, consultant, and contractor controls are an important part of risk reduction and risk avoidance. By clearly defining the expectations and penalties for external parties, everyone involved knows what is expected of them and what the consequences are in the event of a failure to meet those expectations. Although it may be very cost effective to use outside providers for a variety of business functions or services, it does increase potential risk by expanding the potential attack surface and range of vulnerabilities. SLAs should include a focus on protecting and improving security in addition to ensuring quality and timely services at a reasonable price.

Compliance

      Compliance is the act of conforming to or adhering to rules, policies, regulations, standards, or requirements. Compliance is an important concern to security governance. On a personnel level, compliance is related to whether individual employees follow company policy and perform their job tasks in accordance to defined procedures. Many organizations rely on employee compliance in order to maintain high levels of quality, consistency, efficiency, and cost savings. If employees do not maintain compliance, it could cost the organization in terms of profit, market share, recognition, and reputation. Employees need to be trained in regard to what they need to do; only then can they be held accountable for violations or lacking compliance.

Privacy

      Privacy can be a difficult concept to define. The term is used frequently in numerous contexts without much quantification or qualification. Here are some partial definitions of privacy:

      ■ Active prevention of unauthorized access to information that is personally identifiable (that is, data points that can be linked directly to a person or organization)

      ■ Freedom from unauthorized access to information deemed personal or confidential

      ■